Feature Requests

Currently Harness creates individual k8s secrets for each cert that is part of the same cert bundle and when the certs bundle has more certs, it results in corresponding number of individual secrets referenced in a single pod which causes init delays. Can we consolidate certs into single k8s secret instead of creating individual secrets?

Security teams at Enterprise companies standardize on a singular tool like OnSpring for exemption management and if Harness could have that integrated with STO, it would be easier for all exemptions in a centralized place.

Currently Harness STO module does not have option for ORCA integration for vulnerability scan. Raising this enhancement request to support this integration.

Coming from a customer request, they would like the ability to perform similar policy-based STO enforcement on their NexusIQ scans. They would also like a template-step experience for it as well. https://developer.harness.io/docs/security-testing-orchestration/sto-techref-category/sonarqube-sonar-scanner-reference/#view-sonarqube-code-coverage-results https://help.sonatype.com/en/policy-violation-rest-api.html

add support for the aqua trivy fs (file system) scan which scans a code repo/files. https://trivy.dev/v0.51/docs/target/filesystem/

Add aqua security on-prem support, which requires adding auth support for username/password. Confirmed with Aqua Security, our partner, than the on-prem does not support long-lived tokens and just the username and password for auth. Today aqua security native STO step only support SaaS version and auth method as Token.

We would to leverage “Dastardly” DAST tool in Harness. Pls do the needful. Dastardly: https://portswigger.net/burp/dastardly

Currently STO module isn't listed in the selection of resources within resource group. Although the users have the necessary roles assigned to the view entities within STO, they will need have "all" the resources selected in the resource groups if not they are presented with a 403 forbidden error on the UI. Having granularity to select STO objects will be beneficial.

Currently the prisma STO step is marked as success even if "Vulnerability threshold check" result is "failed". We need to ensure that the execution fails if the "Vulnerability Threshold Check" fails.

I would like to place a bug report for hopefully then next upgrade to the Anchore Plugin. The current plugin is extremely limited, at least as far as I can tell. We would like to have the anchorectl switch -t non-os working so that CVE's shown to our deveopers in Security Tests will only show the application data CVEs that they need to be concerned with. An example from cli might be like the following: anchorectl image add rockylinux:9-ubi | anchorectl image vulnerabilities rockylinux:9-ubi -t non-os The standard command is as follows: "anchorectl image vulnerabilities myimage:latest -t non-os". So this is the image vulnerability scan which is likely different to the add command being used by the plugin. "anchorectl image add myimage" "anchorectl image vulnerabilities myimage -t non-os -o json" To be clear it needs to do both. Add the image then create a report with non-os data converted to Harness acceptable for ingest