Feature Requests

We would want to enforce Secrets prevention scanning of IaC code with Gitleaks before deployment in an IACM stage, thanks.

We are scanning with Prowler V5, which generates reports in .json.asff format. Issue: Setting product_name: prowler fails to ingest the report. We are forced to use product_name: aws_security_hub to successfully ingest the file. Problem: Because we have to use the Security Hub parser, the Harness UI incorrectly labels the scanner as "AWS Security Hub" instead of "Prowler" (see attached screenshot). Request: Please update the prowler parser to support .json.asff files so we can ingest these reports under the correct scanner name. Failed execution with prowler product name: https://app.harness.io/ng/account/kTcDr-37TtqE3qs0P3Mltg/all/orgs/default/projects/analytics_external_violations_service/pipelines/analytics_external_violations_service_sto_pipeline/executions/6WAA-8qHQ-ilFn7Ej9oB9g/pipeline?storeType=INLINE Successful execution with AWS Security Hub product name: Above pipeline (Build Id: 252)

Please allow snyk monitor and snyk container monitor to be disabled when using the Snyk STO step in "orchestration" mode with either "Snyk Container" or "Snyk Open-Source" set as the scan configuration. When performing lots of builds, it is not always necessary to have Snyk itself monitor each each output and calling monitor on every build where scanning means Snyk itself becomes polluted with unwanted data.

Currently Harness STO supports deduplication for the issues present in the same scanner report, but if we are scanning the same code with multiple scanners, it is not deduplicating it. Please add support for it as it is critical for us and we can't rely on the report from a single scanner.

Need base image detection feature to be available for ingestion mode scans. The current feature supports orchestration mode scans. ETA of the feature ?

## Summary Add an officially supported FIPS-compliant container image variant for twistlock-job-runner used by Harness STO, so regulated environments can run Prisma/Twistlock scans while meeting compliance requirements. ## Problem / Why it matters Many organizations operating under FIPS compliance cannot use non-FIPS images in CI/CD scanning workflows. Today, the lack of a supported FIPS-compliant twistlock-job-runner blocks adoption of STO in regulated environments and prevents upgrades to newer runner versions required for feature improvements and accuracy parity. ## Desired outcome * A supported FIPS-compliant twistlock-job-runner image (or equivalent) is published and maintained. * Clear documentation on: * Supported tags/versions * How to enable/use the FIPS image in STO pipelines * Compatibility notes and support policy

Pull New Code Coverage from Sonarqube API and add as output variable Sonarqube

In the STO dashboard (across all visualizations), please add a field or dimension or as a filter that indicates whether a pipeline has been deleted. This is needed because, in some executions, severity data is still displayed even though the corresponding pipeline has already been deleted. Having this indicator would help clarify the state of such executions and avoid confusion.

We would like Harness to provide native support for Infrastructure-as-Code (IaC) scanning as part of its security testing orchestration (STO) capabilities. Specifically: Integration with WIZ: Allow a plugin or connector for WIZ to perform IaC scanning during pipeline execution. STO Support for IaC Scanning: Extend STO functionality to include IaC scanning checks, enabling security posture validation for Terraform, CloudFormation, and other IaC templates.

Currently, when a user is added at the Account level and subsequently granted Role Binding at the Project level, the user details of the requester or approver in Security Exemption are not visible to the user. We’ve identified that users need Account-level User View access to view the Security Exemption users. To address this, we require that Security Exemption views be made compatible with Project level User View access.