Feature Requests

I would like to place a bug report for hopefully then next upgrade to the Anchore Plugin. The current plugin is extremely limited, at least as far as I can tell. We would like to have the anchorectl switch -t non-os working so that CVE's shown to our deveopers in Security Tests will only show the application data CVEs that they need to be concerned with. An example from cli might be like the following: anchorectl image add rockylinux:9-ubi | anchorectl image vulnerabilities rockylinux:9-ubi -t non-os The standard command is as follows: "anchorectl image vulnerabilities myimage:latest -t non-os". So this is the image vulnerability scan which is likely different to the add command being used by the plugin. "anchorectl image add myimage" "anchorectl image vulnerabilities myimage -t non-os -o json" To be clear it needs to do both. Add the image then create a report with non-os data converted to Harness acceptable for ingest

Mend has a newer CLI tool and v3.0 API, and is compatible with Mend’s SCA, SAST, and Container scanners We'd like to have the Mend Runner updated, so that these new functions can be utilized

Good Day, we are currently using Anchore via your image which uses anchorectl to generate a Security Testing report. The report is being created without issue. However, the report includes the base layer of the image as well as application data. We would like the report to only show the application data layer. For example we have things like VIM or Ubi8 os related library file CVEs. This is confusing our customers as they are only concerned with there application data and what they need to remedy within their source code. Thank You.

Needed: Ability to notify the originator of an exemption (via email) when the state of his or her exemption request changes (Denied/Approved). Nice-to-have: Additional ability to include project owners/user-subset specified by role in those notifications.

STO has it's own way of calculating vulnerabilities than that of the scan tool. We'd like the ability to use the specific calculation of the scan tool instead of what STO returns. For example, we have a medium severity vulnerability reported by Prisma Scan that Harness is reporting as high/critical. Although Harness does provide the raw scan results from the scanner, we'd like the ability to set the default results to be from Prisma instead of taking the calculation from STO in the Harness UI.

As a user of Harness Security Testing Orchestration (STO), I would like the ability to change or edit the severity of findings identified during security scans. Since the severity is not matching as per our considerations and the actual risk in our environment. Add an option to edit the severity of a finding directly from the findings dashboard. Implement role-based permissions to control who can change the severity of findings.

Burpsuite Enterprise has a facility to create custom scan configurations for scanning. Currently Harness only allows to select the default scan configurations given by Burp but there is no ability to select custom scan configurations. This would be essential as each type of application needs a different type of scan configuration in order to perform a better scan.

Following type of URLs are needed to added into the Scan Configuration before starting a scan to define a proper scope of the scan. Defining a proper scope is essential as this helps in including or excluding URLs from the scan. Types: Start URLs In-Scope URLs Out-of-scope URLs

Anchore Enterprise in our organization uses project specific contexts to store scans and image data. To support ingestion from different contexts (using service accounts at the all-users level), we require the ability to set the X-Anchore-Account header in the HTTPS request to the API with values specifying the context within the account to apply the queries to.