Security Step Settings Reference

Updated 1 week ago by Michael Cretzman

This topic includes all the Security step settings for each of the scanner providers supported by Harness.

For details on using the Security step, see Security Testing Orchestration Quickstart (Public Preview).

Scan Approach Types

Harness Security Testing Orchestration integrates with multiple scanners and targets. Different types of scan approaches can be done on each scanner-target combination:

  • orchestratedScan: orchestratedScan is fully orchestrated. A new scan is orchestrated and the scan results are normalized and compressed by Security Testing Orchestration.
  • manualUpload: manualUpload is not orchestrated. Think of this as ingestion-only. For a scan that was done previously (or an earlier step in the a Pipeline), the results are presented to Security Testing Orchestration for normalization and compression.
  • dataLoad: dataLoad is partially orchestrated. A previously run scan where the results exist in scan tool vendors SaaS. The data is pulled, normalized, and compressed for Security Testing Orchestration.

The scanner, targets, and scan approach combinations are covered in the next section.

Scanners, Target Types, and Scan Approach

The following scanners are supported. See Security Testing Orchestration Quickstart (Public Preview).

Scanner Name

Scan Target Type

Scan Approach

Aqua Trivy

container

orchestratedScan, manualUpload

Bandit

repository

orchestratedScan, manualUpload

Black Duck

repository, container

orchestratedScan, manualUpload

Brakeman

repository

orchestratedScan, manualUpload

Burp

instance

manualUpload

Checkmarx

repository

orchestratedScan, dataLoad, manualUpload

Data Theorem

repository

dataLoad, manualUpload

Docker Content Trust (DCT)

container

orchestratedScan, manualUpload

Docker Content Trust (DCT)

(docker-content-trust and clair)

container

orchestratedScan, manualUpload

External

(JSON upload v2)

container, repository, instance, configuration

orchestratedScan, manualUpload

Fortify on Demand

repository

orchestratedScan, dataLoad, manualUpload

Metasploit

instance

orchestratedScan, manualUpload

Nessus

instance

orchestratedScan, manualUpload

Nexus IQ

instance

orchestratedScan, manualUpload

Nikto

instance

orchestratedScan, manualUpload

Nmap ("Network Mapper")

instance

orchestratedScan, manualUpload

OpenVAS

instance

orchestratedScan, manualUpload

OWASP

repository

orchestratedScan, manualUpload

Prowler

repository

orchestratedScan, manualUpload

Qualys Web Application Scanning (WAS)

instance

manualUpload

Reapsaw

repository

manualUpload

ShiftLeft

repository

orchestratedScan, dataLoad, manualUpload

Sniper

instance

orchestratedScan, manualUpload

Snyk

container

orchestratedScan, manualUpload

SonarQube SonarScanner

repository

orchestratedScan, dataLoad, manualUpload

Tenable.io

instance

orchestratedScan, dataLoad, manualUpload

Prisma Cloud (formerly Twistlock)

container

orchestratedScan, dataLoad, manualUpload

Veracode

repository

orchestratedScan, dataLoad, manualUpload

WhiteSource

repository

orchestratedScan, manualUpload

JFrog Xray

container

manualUpload

Zed Attack Proxy (ZAP)

instance

orchestratedScan, manualUpload

Test Targets

The following table specifies where the target to be tested is located.

Target Name

Target Type

azure

repository

bitbucket

repository

github

repository

gitlab

repository

local_image

container

docker_v2

container

jfrog_artifactory

container

aws_ecr

container

website

instance

Using Scanner Providers in the Security Step

To use any supported scanner provider in the Harness Security step, you simply need to provide the setting:value pairs for the scanner.

For example, here are the setting:value pairs for Aqua Trivy:

The Aqua Trivy-specific settings are just scan_type and policy_type. The rest of the settings are common to all scanners where the scan_type is container.

The following sections list the setting:value pairs for each provider.

All Scan Types

The following settings apply to all scanners.

  • scan_type
    • accepted values: container, repository, instance, configuration.

Repository Scan Type Settings

The following settings apply to all scanners where the scan_type is repository.

  • repository_project*
  • repository_branch*

Container Scan Type Settings

The following settings apply to all scanners where the scan_type is container.

  • container_project*
  • container_tag*
  • container_type
    • accepted value(s): local_imagedocker_v2jfrog_artifactoryaws_ecr
      • for container_type set to local
        • None
      • for container_type set to docker_v2
        • container_access_id: Username
        • container_access_token: Password/Token
      • for container_type set to jfrog_artifactory
        • container_access_id: Username
        • container_access_token: Password/Token
      • for container_type set to aws_ecr
        • container_access_id: Username
        • container_access_token: Password/Token
        • container_region: Aws default region
  • container_domain

Instance Scan Type Settings

The following settings apply to all scanners where the scan_type is instance.

  • instance_identifier*
  • instance_environment*
  • instance_domain
  • instance_path
  • instance_protocol
  • instance_port
  • instance_type
    • accepted value(s): website

Configuration Scan Type Settings

The following settings apply to all scanners where the scan_type is configuration.

  • configuration_type
    • accepted value(s)s: aws_account
  • configuration_region
  • configuration_environment
  • configuration_access_id
  • configuration_access_token

Aqua Trivy

When product_name is set to aqua-trivy

  • scan_type
    • accepted value(s): container
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload

AWS Security Hub

When product_name is set to aws-security-hub

  • scan_type
    • accepted value(s): configuration
  • policy_type
    • accepted value(s): manualUpload

Bandit

When product_name is set to bandit

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload

Black Duck Open Hub

When product_name is set to blackduckhub

  • scan_type
    • accepted value(s): repositorycontainer
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload
  • When policy_type is set to orchestratedScan
    • product_domain
    • product_auth_type
      • accepted value(s): usernamePasswordapiKey
    • product_access_id: api username
    • product_access_token api password or api key
    • product_api_version
    • product_project_name
    • product_project_version

Brakeman

When product_name is set to brakeman

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload

Burp

When product_name is set to burp

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): manualUpload

Checkmarx

When product_name is set to checkmarx

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScandataLoadmanualUpload
  • When policy_type is set to orchestratedScan or dataLoad
    • product_domain
    • product_access_id
    • product_access_token
    • product_lookup_type
      • accepted value(s): Not Specified, byName
    • product_team_name
    • product_project_name

Data Theorem

When product_name is set to data-theorem

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): dataLoadmanualUpload
  • When policy_type is set to dataLoad
    • product_app_id
    • product_access_token

Docker Content Trust (DCT)

When product_name is set to docker-content-trust

  • scan_type
    • accepted value(s): container
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload

Docker Content Trust (clair)

When product_name is set to docker-content-trust (clair)

  • scan_type
    • accepted value(s): container
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload
  • product_url
  • product_access_id
  • product_access_token

External (JSON upload v2)

When product_name is set to external (json upload v2)

  • scan_type
    • accepted value(s): containerrepositoryinstanceconfiguration
  • policy_type
    • accepted value(s): manualUpload

Fortify

When product_name is set to fortify

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload
  • When policy_type is set to orchestratedScan
    • product_license_path: see customer_artifacts

Fortify on Demand

When product_name is set to fortifyondemand

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScandataLoadmanualUpload
  • When policy_type is set to orchestratedScan or dataLoad
    • product_domain
    • product_access_id
    • product_access_token
    • product_owner_id
    • product_entitlement
    • product_scan_type
    • product_app_name
    • product_release_name
    • product_target_language
    • product_target_language_version
    • product_scan_settings
      • accepted values: Customdefault
    • product_audit_type
    • product_lookup_type
      • accepted values: DynamicStaticMobile
    • product_data_center

Metasploit

When product_name is set to metasploit

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload

Nessus

When product_name is set to nessus

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload
  • When policy_type is set to orchestratedScan
    • product_domain
    • product_access_id
    • product_access_token
    • product_policy_id
    • product_scanner_id
    • product_template_uuid

Nexus IQ

When product_name is set to nexusiq

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload
  • When policy_type is set to orchestratedScan
    • product_domain
    • product_access_id
    • product_access_token
    • product_organization_id
    • product_project_name
    • product_lookup_type
      • accepted value(s): byPrivateIdbyPublicId
    • When product_lookup_type is set to byPublicId
      • product_public_id
    • When product_lookup_type is set to byPrivateId
      • product_private_id

Nikto

When product_name is set to nikto

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload

Nmap ("Network Mapper")

When product_name is set to nmap

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload

OpenVAS

When product_name is set to openvas

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload
  • product_domain
  • product_access_id
  • product_access_token

OWASP

When product_name is set to owasp

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload

Prowler

When product_name is set to prowler

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload

Qualys Web Application Scanning (WAS)

When product_name is set to qualys

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): manualUpload

Reapsaw

When product_name is set to reapsaw

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): manualUpload

ScoutSuite

When product_name is set to scoutsuite (aws only)

  • scan_type
    • accepted value(s): configuration
  • policy_type
    • accepted value(s): manualUpload

ShiftLeft

When product_name is set to shiftleft

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScandataLoadmanualUpload
  • When policy_type is set to orchestratedScan or dataLoad
    • product_access_id
    • product_access_token
    • product_app_name
    • product_target_language

Sniper

When product_name is set to sniper

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload

Snyk

When product_name is set to snyk

  • scan_type
    • accepted value(s): container
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload
  • product_access_token

SonarQube SonarScanner

When product_name is set to sonarqube

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScandataLoadmanualUpload
  • When policy_type is set to orchestratedScan or dataLoad
    • product_domain
    • product_access_token
    • product_lookup_type
    • product_project_name
    • product_project_key
    • product_exclude
    • product_java_binaries
    • product_java_libraries

Tenable.io

When product_name is set to tenableio

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScandataLoadmanualUpload
  • When policy_type is set to orchestratedScan or dataLoad
    • product_domain
    • product_access_id
    • product_access_token
    • product_policy_id
    • product_scanner_id
    • product_template_uuid

Prisma Cloud (formerly Twistlock)

When product_name is set to twistlock

  • scan_type
    • accepted value(s): container
  • policy_type
    • accepted value(s): orchestratedScandataLoadmanualUpload
  • When policy_type is set to orchestratedScan or dataLoad
    • product_image_name
    • product_domain
    • product_access_id
    • product_access_token

Veracode

When product_name is set to veracode

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScandataLoadmanualUpload
  • product_auth_type
    • accepted value(s): ['usernamePassword', 'apiKey']
  • product_access_id: username / keyId
  • product_access_token: password / key
  • product_app_id
  • product_project_name

WhiteSource

When product_name is set to whitesource

  • scan_type
    • accepted value(s): repository
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload
  • When policy_type is set to orchestratedScan
    • product_domain
    • product_access_id
    • product_access_token
    • product_include
    • product_exclude
    • product_lookup_type
      • accepted value(s): Not Set, byNamebyTokensappendToProductByTokenappendToProductByName
    • product_product_name
    • product_project_name
    • product_product_token
    • product_project_token

JFrog Xray

When product_name is set to xray

  • scan_type
    • accepted value(s): container
  • policy_type
    • accepted value(s): manualUpload

Zed Attack Proxy (ZAP)

When product_name is set to zap

  • scan_type
    • accepted value(s): instance
  • policy_type
    • accepted value(s): orchestratedScanmanualUpload
  • When policy_type is set to orchestratedScan
    • product_context_name: see customer_artifacts


Please Provide Feedback