Feature Requests

Currently the only results you will see for STO in the security results page will be for the latest execution of the pipeline. That execution may not be the complete pipeline. In the case where the user has had a failure and resumes the execution from last successful stage, any scan results from that previous execution will not be displayed in the security tests page. User will need to iterate through the execution history to find the various scan results.

Add the functionality in "External Tickets" ( https://developer.harness.io/docs/security-testing-orchestration/jira-integrations/ ) to automatically create a Jira ticket when an exemption is raised.

We are utilising cloud run functions within google cloud and would like to have the cicd process with harness. For this we will need the CDS_GOOGLE_CLOUD_RUN feature flag enabled. Thanks, Cormick

Many teams use not only CI when deploying infrastructure, and we need to enable (and enforce via OPA) teams to scan their IAC before deploying. Currently there is no way to perform Wiz Native scanning or using Custom Scan Ingestion steps (two different solutions) within CD or Custom Stages. We need teams to be able to view their vulnerabilities regardless of the stage they are deploying.

Wanted GitOps application set template configured to include the functionality like argo-cd application supports multiple sources such as helm from one repo and the values files from a different repo. The manifests is deemed invalid when spec.source is missing and spec.sources is provided instead.

User would like to the failure strategy to retry a stage if a step or step group fails. Currently, only option is to rollback the stage if a step fails. would like to see the option to retry the entire stage if a step within the stage fails.

Currently, Test Intelligence does not work with pytest-xdist. We would like to see support for this

To integrate efficiently, we would like to be able to register endpoints to be called with Harness events (like how we register webhooks with GitHub to receive GitHub events). WebHook endpoints will be internal and should be called via delegate (or have the option to be called from the delegate). Minimum events needed: Pipeline start/end (include all details in payload) Stage start/end (include all stage details in payload) Pipeline/stage interrupt/resume events (pause, approval needed, timeout, abort, reject, approval resume, etc.) Pipeline created/updated Solution: Solution is describe above: webhooks for pipeline events. Additionally, we would be fine with consuming events delivered to any type of pub/sub bus as well (SNS Topic, Redis pub/sub, SQS queue, etc.). Having more data on the events would be useful, so we can avoid having to query the API for the key data that make user-friendly notifications and automated actions feasible. the name and tags of the pipeline, and the variable inputs of the pipeline execution the name of the stage, and the variable inputs of the stage execution for failed or rejected pipelines and stages, the name and id of the failed stage and step, and the error or rejection message If these add on requests can't be accommodated, I would look to using the APIs to shim the feature. for #1, calling the audit API at short periodic intervals in order to simulate the events. for #2, calling the pipeline execution details API to get the needed values (once for each event. yikes)

Pipeline should fail (or configurable) when GitOpsSync step results in an unhealthy application. Currently GitOpsSync step attempts sync and succeeds always. The pipeline succeeds, but the deployment may have failed (for instance due to missing image). GitOpsSync step should fail when application turns unhealthy.

DORA metrics for Harness and SEI