Feature Requests

plugins/cache plugins/sto plugins/s3

We had some governance demands, one of which is the mandatory use of stable versions of templates. Tried to implement an OPA Policy, however, when the template is set as stable, this information isn't displayed in the YAML. I believe it should be in some metadata. Also tried using some functions, but none of the options managed to retrieve the data from the backend. There's also no option to do this via the UI. We need a way for a OPA Policy to force the user to use only the stable version of the templates, is it possible?

Current Behavior In SCS SBOM Orchestration → SBOM Attestation (Private Key / Password / Public Key fields): * The UI allows: * Fixed value * Runtime input ( <+input> ) * Expression However, these fields only accept secret identifiers*** in practice, such as: * mySecret * org.mySecret * account.mySecret If a user supplies an expression that resolves to a secret value (for example a Secret-type variable or \<+secrets.getValue("id")> ), the pipeline fails validation with errors like: > Invalid Secret Reference. Valid references must be one of the following formats [ id, org.id, account.id ] for scope [ project, organisation, account ] respectively This means SCS effectively treats these fields as “identifier-only”, even though the UI advertises Expression and Runtime input as options. --- Problem This behavior is: * Inconsistent with STO and other CI steps , which generally: * Accept secret values , * Support Secret-type variables and secrets.getValue(...) expressions, * Handle nested expressions that resolve to secrets. * Confusing for users , because: * The UI suggests they can use expressions and secret variables the same way they do in STO/CI. * But SCS rejects those patterns and requires them to pass only identifiers. * Limiting for reuse and governance , because: * It’s harder to dynamically pick different attestation keys per environment/org/project. * Users must resort to “String variable that holds a secret identifier” patterns, which is not intuitive and feels like a workaround. This is already surfacing in real customer pipelines and is likely to affect more users as HAR + SBOM adoption grows. --- Desired Behavior Align SCS SBOM Attestation secret handling with STO/CI , so that: Private Key / Password / Public Key fields accept: * Direct secret identifiers ( id , org.id , account.id ) — as they do today. * Expressions that resolve to secret identifiers , e.g.: ```yaml <+stage.variables.sbom_private_key_id> # "cosign_pk_test" ``` * Expressions that resolve to secret values , including: * \<+secrets.getValue("mySecret")> * Pipeline/stage variables of type Secret * Nested expressions that ultimately resolve to a secret. Validation happens after expression evaluation , similar to STO: * The expression is evaluated first. * If the result is a valid secret reference or secret value, the step proceeds. * Only truly invalid values should trigger the “Invalid Secret Reference” error. Backward compatible behavior : * Existing SCS pipelines that use plain identifiers should continue to work as-is. * New pipelines can adopt the more flexible STO/CI-style patterns without surprises. --- Why This Matters * Reduces confusion and support noise by bringing SCS in line with the rest of CI/STO . * Makes it much easier to: * Reuse SBOM/attestation pipelines across multiple environments, * Follow best practices for secret management (no hard-wiring per-step), * Build dynamic, policy-driven setups (e.g., different keys per env/org). * Matches user expectations: if a field supports “Expression” and is secret-related, it should behave consistently across modules.

As discussed with Andrew Spangler and Julia Zinger, submitting this feature request pertaining to Harness CD & GitOps module. We use Argo CD, GitOps Agent and delegate images currently at Box. Our requirement is , for Harness to provision customer internal certificates to be installed on the STIG compliant images and share hardened images with customer. Box wants to use the hardened image with needed certs installed 'as is' , than modifying the images to install internal certificates. This requirement comes from our security, legal and compliance team for STIG compliance. We need this feature by end of Jan, 26. Please include the same in product roadmap.

Team, Currently we don't have a way to enforce OPA policy only on newly created pipeline. When trying to enforce the policy using "on Save", this gone a impact even the existing pipelines. As there is no pipeline creation time available from YAML, its hard to differentiate new vs old from a particular day of this policy implementation. FYI As suggested by support team ( https://support.harness.io/hc/en-us/requests/98558 ) raising this feature request and are requesting to have prioritize.

Customer wants to be a beta partner for the Config Management product pillar.

When they change a flag and submit it for approval, there is no callout that a segment is a rule based segment. I think this would be beneficial for the diff to show more details like this instead of just "in segment ABC" or maybe a way to click the segment to navigate to it.

Ability to upload a json or yaml file to the SDK so the sdks have a stored state. For redundancy and resiliency purposes. Originally submitted on 12/11/2024

Customer would like the ability to copy segments from one environment to the other via the UI (IE from staging to UAT). And if not, can the fetch all flags admin API be used for segments and flags? I think it would be great enhancement to add it to the UI to be able to do this if you guys could add it to the list. Originally added on 6/2/2025

In list of attributes, Ctrl+F only way to search to confirm if a specific value is there. Would prefer a simpler way to do this. Can be useful for support and QA purposes.