Feature Requests

Requesting an API to see what vulnerabilities users have exempted. We want to use this information/API to prevent a compliance finding that our firm creates when a critical or high vulnerability is found in the pipeline and not resolved for OSS and SSAP scans found using Snyk. Currently, there are known "false positives" that users cannot resolve and we to use the exemption API to know what users have exempted and if it is in the list of our "false positives" to prevent the creation of a compliance finding.

One use case for an SBOM we would like to see on Harness is the ability to query a specific dependency and be able to see all applications that are using this depedency. If something like a day 0 vulnerability appears in a dependency, then we will be able to flag all applications that are using it. Note: This feature would be best suited to be in the Supply Chain Security module, but since that was not an option above, the Security Testing Orchestration module is the closest one.

We have requirement for additional tags in Sarif file for various use cases, we would like to filter the results of the vulnerabilities displayed on STO to developers based on those additional tags present in Sarif file. Request to kindly provide us the capability to add filter based on Sarif additional tags. Couple of examples where our teams are adding additional tags in Sarif file.: - Display only P1 Critical CISA KEV (Knowln exploited vulnerabilities) Display only actionable vulnerabilities to developers Display app/framework/base image vulnerabilities.

Invicti is globally used by us. We would appreciate DAST Scanning support in Harness. https://www.invicti.com/

Good day Harness team, we would like to request the activation of these two feature flags please. PL_CENTRAL_NOTIFICATIONS STO_EXEMPTION_NOTIFICATION

Due to long running executions within the STO stage, there is a requirement to support timeout values >24 hours. The lack of this feature is leading to pods getting evicted. The CI_ENABLE_LONG_TIMEOUTS is limited to CI stages and needs to be extended to STO.

This is related to the STO Exemption request. The user provided the requested information, such as the duration and reason, and submitted the Exemption request. Currently, you can view the exemption description details in the pipeline UI by clicking on the vulnerability that was exempted and then clicking on the eye icon at the top to see the description. We are looking to display the exemption description directly in the Exemption UI.

In an STO pipeline with multiple stages, if any stage fails, the vulnerabilities tab does not display the scan results when the pipeline is re-run—even though the results were available in the original run. Please update this behavior so that the results are also shown on the rerun.

Ability to send email notification to concern team when a vulnerability is nearing SLA and breached SLA for DAST Manual pentest ingestions.

When viewing exemptions at the account level, it would be helpful to have filters to view exemptions tool-wise. Additionally, having the option to filter by the requester would be an added advantage, as it would allow us to quickly fetch details for a specific tool raised by a particular person.