Feature Requests

Request: Support STO verification for container images that were signed outside of STO. Problem: Today, STO verification only works if the image was signed by STO. Many teams already sign images using other tools in their CI/CD pipelines. This requirement prevents them from using STO verification unless they change their existing signing process. Proposed Solution: Allow STO verification to validate images signed by external signing tools or trusted authorities, instead of requiring STO to perform the signing.

We are updating our Sonarqube Server installation to 2025.5.0 shortly and have been given a recommendation that clients interacting with that should use sonar-scanner version 7.1.0 to prevent incompatibility issues. We would like the builtin Sonarqube scan step/plugin to be updated to allow us to specify the updated sonar-scanner version, or use the newer version by default.

When pulling issue details from the API, there is no way to differentiate if an issue is existing, is net new, or is a new occurrence. We have a need to only flag via policy "New" issues, and currently there is no good api support for this.

Create a Ticket in STO Vulnerabilities is a great feature. Unfortunetaly the form itself is too basic, different JIRA issue types can have varying mandatory fields. In our case creating a ticket for a vulnerability requires a Parent and Team fields, creating a ticket fails because of those missing fields. It would be great if we can add those for our account even if its a simple text input, we can look up a Team in JIRA and the Epic needed. In the future: ideally upon selecting the issue type, the request needs to happen to jira api to fetch mandatory/optional fields for selected issue type, then a dynamic form should render.

STO Create Ticket Modal is a great feature to quickly add JIRA tickets to exempted vulnerabilities. Unfortunately it only allow Project, Issue Type, Title, and Notes fields. Our requests fails with: { "Message": "Bad Request: Jira responded with \"Bad Request: Field Team is required., Field Parent is required.\"", "Status": 400 } It would be critical for us to assign the issue to a parent Epic (as most organizations need to) and to proper Team (this field may be different between some other orgs). Dynamically fetching requried fields for a given Issue type would be the best practice here. Let us know if we can provide any more info

( Demo license ) Automation access for testing purposes for UI application and performing testing. My email address: maxim.pavlov@dish.com .

Need base image detection feature to be available for ingestion mode scans. The current feature supports orchestration mode scans. ETA of the feature ?

Harness Wiz step plugin support with Wiz CLI v1.x

Invicti is globally used by us. We would appreciate DAST Scanning support in Harness. https://www.invicti.com/

I would like to be able to export into excel the occurrence details for issues (file name, line number, etc.) so that I may pass these to developers. I'm only able to get the number off occurrences when creating a dashboard, but not the occurrence details.