Feature Requests

Similar to STO, we are requesting for the Supply Chain Security module to allow for license exemption by component. Requesting the person who created the exemption be different then the person who approves the exemption. Additionally requesting the ability to exempt by project, org, or account level depending on if the role access is for a project, org, or account level access.

Request to enhance the Harness supply chain supply module by integrating LicenseConditions attributes into the Harness UI, enabling visibility and filtering. Requested Enhancement: Add the following LicenseConditions attributes as columns in the Harness UI: name description message additionalGuidance Filtering Capability: Enable users to filter supply chain items based on these LicenseConditions attributes Rationale: Improves transparency and compliance tracking by making license conditions easily accessible. Allows users to quickly identify and act on supply chain items with specific license requirements or guidance. Streamlines workflow by enabling targeted filtering and sorting. Example UI Change: Add new columns for each attribute in relevant supply chain tables. Provide filter options for each attribute (e.g., search by name, filter by guidance). Impact: Enhances user experience and compliance management. Reduces manual effort in tracking license conditions. Example JSON { "spdxId": "MIT", "name": "MIT License", "legalStatus": "Approved", "policyColorDesignation": "GREEN", "policyColorMessage": "Does not trigger copyleft obligations. Generally ok to proceed as long as minor obligations (attribution, etc.) are complied with.", >>>> "licenseConditions": [ { "name": "must_attribute", "description": "Need to Attribute", "message": "\"Need to Attribute\" means distribution requires attribution through copyright notice, as specified by the license", "additionalGuidance": null },

We need OIDC to work with GAR artifacts in SBOM, but need it overall with Supply Chain Security https://developer.harness.io/docs/artifact-registry/dependency-firewall/overview/

Hi Team, we do CI on Gitlab, I was going through harness documents and there are github action plugins generating and attesting SLSA and SBOM, we want similar functionalities for Gitlab as well as this is part of our larger initiative.

After doing a SBOM orchestration and trivy scan, the portal UI shows the SBOM OSS Risk field, but when downloading the sbom, this field is not available, nor does there seem to be a GET api call for this.

Observability metric for the ssca-manager service is not supported in SMP

RSPM rules do not work for configs that are defined at github account and org level.

Our firm has our own vulnerability score for licensing. We want our firm's vulnerability score/risk to populate in the supply chain dashboards and other Harness modules where licensing risk is displayed.

Description: We experienced a production outage due to a recent change in the SBOM image, which is now using the latest Docker version. As a result, all pipelines failed during the SBOM orchestration stage. Support Ticket Reference: 98836 Request: Please add an option to specify the SBOM image tag in the SBOM orchestration stage. This will allow us to map to an older image tag if there are issues with the latest image. Currently, this option is not available in the SBOM orchestration stage.

Current Behavior In SCS SBOM Orchestration → SBOM Attestation (Private Key / Password / Public Key fields): * The UI allows: * Fixed value * Runtime input ( <+input> ) * Expression However, these fields only accept secret identifiers*** in practice, such as: * mySecret * org.mySecret * account.mySecret If a user supplies an expression that resolves to a secret value (for example a Secret-type variable or \<+secrets.getValue("id")> ), the pipeline fails validation with errors like: > Invalid Secret Reference. Valid references must be one of the following formats [ id, org.id, account.id ] for scope [ project, organisation, account ] respectively This means SCS effectively treats these fields as “identifier-only”, even though the UI advertises Expression and Runtime input as options. --- Problem This behavior is: * Inconsistent with STO and other CI steps , which generally: * Accept secret values , * Support Secret-type variables and secrets.getValue(...) expressions, * Handle nested expressions that resolve to secrets. * Confusing for users , because: * The UI suggests they can use expressions and secret variables the same way they do in STO/CI. * But SCS rejects those patterns and requires them to pass only identifiers. * Limiting for reuse and governance , because: * It’s harder to dynamically pick different attestation keys per environment/org/project. * Users must resort to “String variable that holds a secret identifier” patterns, which is not intuitive and feels like a workaround. This is already surfacing in real customer pipelines and is likely to affect more users as HAR + SBOM adoption grows. --- Desired Behavior Align SCS SBOM Attestation secret handling with STO/CI , so that: Private Key / Password / Public Key fields accept: * Direct secret identifiers ( id , org.id , account.id ) — as they do today. * Expressions that resolve to secret identifiers , e.g.: ```yaml <+stage.variables.sbom_private_key_id> # "cosign_pk_test" ``` * Expressions that resolve to secret values , including: * \<+secrets.getValue("mySecret")> * Pipeline/stage variables of type Secret * Nested expressions that ultimately resolve to a secret. Validation happens after expression evaluation , similar to STO: * The expression is evaluated first. * If the result is a valid secret reference or secret value, the step proceeds. * Only truly invalid values should trigger the “Invalid Secret Reference” error. Backward compatible behavior : * Existing SCS pipelines that use plain identifiers should continue to work as-is. * New pipelines can adopt the more flexible STO/CI-style patterns without surprises. --- Why This Matters * Reduces confusion and support noise by bringing SCS in line with the rest of CI/STO . * Makes it much easier to: * Reuse SBOM/attestation pipelines across multiple environments, * Follow best practices for secret management (no hard-wiring per-step), * Build dynamic, policy-driven setups (e.g., different keys per env/org). * Matches user expectations: if a field supports “Expression” and is secret-related, it should behave consistently across modules.