Feature Requests

Coming from a customer request, they would like the ability to perform similar policy-based STO enforcement on their NexusIQ scans. They would also like a template-step experience for it as well. https://developer.harness.io/docs/security-testing-orchestration/sto-techref-category/sonarqube-sonar-scanner-reference/#view-sonarqube-code-coverage-results https://help.sonatype.com/en/policy-violation-rest-api.html

Feature request to support using Google scan natively in STO. Currently it seems that scan result ingestion is not supported, even when attempting to use JSON format. Is there any plans to support Google scans in the near future? Here is what we attempted: We created a custom step in our template to utilize a service account with the proper permissions to use "gcloud artifacts docker images scan" command output format to JSON. We then got the scan id result to use with the next command "gcloud artifacts docker images list-vulnerabilities" and also convert it to JSON file. However, the next step to use a custom ingestion for the security test does not work and ends up in a "Failed to load raw issues: Expecting value: line 1 column 1 (char 0)" error.

Need ability to mail the prisma scan results to person who intitated the build

Currently, SonarQube plugin doesn't report all the metrics. Add additional metrics like: Security, Reliability, Maintainability, Duplications for a particular branch upon which we can create OPA policies for the pipeline. Eg: Code duplications: https://next.sonarqube.com/sonarqube/web_api/api/duplications

We found information on the official Veracode website indicating that the --baseline-file flag can be used. This flag specifies the location of a JSON file containing results from a previous scan, with the default filename being result.json. To create a baseline file, the --results-file flag must also be included. However, when we attempted to use the --baseline-file or baseline-file result.json flag, it was marked as invalid. Could you please consider adding support for the Baseline File flag in the Veracode Scan?

In harness STO, user is not able to raise the multiple exemptions at once if there is more than one vulnerability in a pipeline.

We have done STO Sonar integration for our dotnet services and it has been working fine. We are trying to do the same for our windows services, but I'm getting the below error in the Initialize step, 'Back-off pulling image " gcr.io/gcr-prod/harness/sto-plugin:latest "' As suggested in the ticket ( https://support.harness.io/hc/en-us/requests/63663 ), I'm applying Ingestion method for the Sonar and Veracode STO evaluations. https://app.harness.io/ng/account/H6rHO8vtQYKelD_wgjnMpA/all/orgs/AODevSecOps/projects/SandBox/pipelines/POCWindows2/executions/QiCniWtjS5WGL9vP_xAvJA/pipeline?storeType=INLINE Later, we came to know that STO ingestion with Windows OS is only supported when you run the build on Harness cloud. But we are running on our own k8s cluster. Hence I'm submitting this feature request to get the STO support for windows. Regards, Janish

Burpsuite Enterprise offers two authentication methods, "Credential Login (Username/Password)" and "Recorded Login" Harness currently is supporting the credential login method, A feature for using "Recorded Login" while initiating the scan from Harness will be useful where a normal authentication method is not working. As almost 50% of the applications are only working with "Recorded Logins"

We would like to see JForg Xray security tests step in Harness as out of the box capabilities for docker and file type artifact scan.

The caching steps that are available in the CI module should also be available in the security module. These are particularly handy for SCA scans that download the dependencies before performing the scans.