Supported Security Scanners
Harness STO supports over 40 security scanners, they are categorized as follows:
- Harness Security Scanners: Scanners developed, maintained, and fully supported by Harness
- Third-Party Scanners: External commercial or open-source scanners integrated with the Harness platform, not developed or directly maintained by Harness.
- Open-Source Scanners: A subset of third-party scanners that are open-source.
- Built-in Scanner Steps: Harness-provided scanner steps using pre-configured open-source scanners. These are ready-to-use within Harness pipelines and do not require additional commercial licenses. For a complete guide, refer to Built-in Scanners.
For a comprehensive list of all scanners, you can view them by Scan Type or Target Type further down this page.
Harness Security Scanners
Harness is expanding its native security scanning capabilities. These scanners are developed and maintained directly by Harness.
- API DAST (previously Traceable): A Dynamic Application Security Testing scanner for your APIs. This was formerly known as the Traceable API DAST scanner.
Third-Party Scanners
The following are the list of third-party scanners that are categorized by Scan Type and Target Type. The list includes both commercial and open-source scanners.
- Scan Type
- Target Type
Here are the list of scanners supported by STO by scan type.
- Static Application Security Testing - SAST Scanners
- Secret Detection Scanners
- Software Composition Analysis - SCA Scanners
- Container Scanners
- Dynamic Application Security Testing - DAST Scanners
- Infrastructure as Code - IaC Scanners
In addition to the listed supported scanners, the Custom Scan step allows the use of various other scanners. For a complete list of supported scanners, refer to Scanners Supported with Custom Scan Step.
Static Application Security Testing - SAST Scanners
Static Application Security Testing (SAST) is a security testing practice that analyzes source code for potential vulnerabilities without executing the application. To configure and run SAST scans, refer Static Application Security Testing documentation.
- Bandit - open-source
- Black Duck (by Synopsys)
- Brakeman - open-source
- Checkmarx
- Checkmarx One
- Coverity - open-source
- CodeQL
- FOSSA
- Mend (formerly known as WhiteSource)
- Semgrep - open-source option
- Snyk
- SonarQube
- Veracode
- Wiz
In addition to the listed supported scanners, the Custom Scan step allows the use of various other scanners. For a complete list of supported scanners, refer to Scanners Supported with Custom Scan Step.
Secret Detection Scanners
Secret Detection is a security testing practice that scans code repositories for exposed credentials, API keys, tokens, and other sensitive information. To configure and run secret detection scans, refer Secret Detection documentation.
- Aqua Trivy - open-source
- Checkmarx One
- Gitleaks - open-source
In addition to the listed supported scanners, the Custom Scan step allows the use of various other scanners. For a complete list of supported scanners, refer to Scanners Supported with Custom Scan Step.
Software Composition Analysis - SCA Scanners
Software Composition Analysis (SCA) is a security testing practice that identifies vulnerabilities in open-source dependencies and third-party libraries used in your applications. To configure and run SCA scans, refer Software Composition Analysis documentation.
- Aqua Trivy - open-source
- Checkmarx
- Checkmarx One
- OSV Scanner - open-source
- OWASP Dependency-Check - open-source
- Snyk
- Veracode
- Wiz
In addition to the listed supported scanners, the Custom Scan step allows the use of various other scanners. For a complete list of supported scanners, refer to Scanners Supported with Custom Scan Step.
Container Scanners
Container Scanning is a security testing practice that analyzes your container images for potential vulnerabilities. To configure and run container scans, refer Container Scanning documentation.
- Anchore
- Aqua Security
- Aqua Trivy - open-source
- AWS ECR Scan
- Black Duck
- Checkmarx One
- Grype - open-source
- Prisma Cloud
- Snyk
- Sysdig
- Wiz
In addition to the listed supported scanners, the Custom Scan step allows the use of various other scanners. For a complete list of supported scanners, refer to Scanners Supported with Custom Scan Step.
Dynamic Application Security Testing - DAST Scanners
Dynamic Application Security Testing (DAST) is a security testing practice that identifies vulnerabilities in running applications by simulating real-world attacks. To configure and run DAST scans, refer Dynamic Application Security Testing documentation.
- Burp Suite Enterprise Edition
- Checkmarx One
- Nikto - open-source
- Nmap - open-source
- Traceable
- Veracode
- Zap - open-source
In addition to the listed supported scanners, the Custom Scan step allows the use of various other scanners. For a complete list of supported scanners, refer to Scanners Supported with Custom Scan Step.
Infrastructure as Code - IaC Scanners
Infrastructure as Code (IaC) scanning is a security testing practice that analyzes IaC configurations to identify misconfigurations, security vulnerabilities, and compliance issues before deployment. To configure and run IaC scans, refer Infrastructure as Code documentation.
- Checkmarx One
- Checkov - open-source
- Snyk
- Wiz
In addition to the listed supported scanners, the Custom Scan step allows the use of various other scanners. For a complete list of supported scanners, refer to Scanners Supported with Custom Scan Step.
The following sections describe the scanners supported by Harness STO, based on the target type:
In addition to the listed supported scanners, the Custom Scan step allows the use of various other scanners. For a complete list of supported scanners, refer to Scanners Supported with Custom Scan Step.
Code repo scanners
A code scanner can detect one or more of the following issue types in your source code. For information about the specific vulnerabilities detected by each scanner, go to the scanner provider's documentation.
- SAST (Static Application Security Testing): Known vulnerabilities in open-source and proprietary code.
- SCA (Software Composition Analysis): Known vulnerabilities in open-source libraries and packages used by the code.
- Secrets: Hard-coded secrets such as access keys and passwords.
- IaC: Known vulnerabilities in Infrastructure-as-Code files such as Terraform configurations.
- Misconfigurations: Known vulnerabilities in software configurations.
| Open Source | Commercial |
|---|---|
|
|
Artifact scanners
An artifact scanner can detect one or more of the following issue types in your container images and other artifacts. For information about the specific vulnerabilities detected by each scanner, go to the scanner provider's documentation.
- SCA (Software Composition Analysis): Known vulnerabilities in open-source libraries and packages used by the code.
- Container Scanning: Identify vulnerabilities in container images.
| Open Source | Commercial |
|---|---|
|
|
Instance scanners
An instance scanner scans a running application for vulnerabilities by simulating a malicious external actor exploiting known vulnerabilities. This is also known as a DAST (Dynamic Application Security Testing) scan.
For information about the specific vulnerabilities detected by each scanner, go to the scanner provider's documentation.
| Open Source | Commercial |
|---|---|
|
|
Configuration scanners
The following scanners detect misconfigurations in your cloud environment that can result in vulnerabilities. For information about the specific vulnerabilities detected by each scanner, go to the scanner provider's documentation.
| Open Source | Commercial |
|---|---|
|
|
Other scanners
If you use a scanner that isn't listed above, you can still ingest your scan results into STO.
-
If your scanner can publish to SARIF format, go to Ingest SARIF scan results into STO.
-
For other scanners, go to Ingest results from unsupported scanners.
Scanners supported with Custom Scan step
The following scanners do not have a dedicated step in STO, but they can be used through the Custom Scan step.
- Clair
- Data Theorem
- Docker Content Trust
- Fortify Static Code Analyzer
- Fortify on Demand
- HCL AppScan
- Metasploit - open-source
- Nessus
- Nexus
- OpenVAS - open-source
- Qualys Web Application Scanning
- Qwiet AI (formerly ShiftLeft)
- Reapsaw - open-source
- ScoutSuite - open-source
- Tenable
- Veracode
- JFrog Xray
If you are looking for scanners that are not available as steps or are not supported through the Custom Scan step, you can use the Custom Ingest step to import scan results into STO. For detailed instructions, see Ingest results from unsupported scanners
Supported ingestion formats
Here are the scanners that support ingestion scan mode in STO and the data format each scanner expects for ingestion into STO.
Static Analysis Results Interchange Format (SARIF) is an open JSON format supported by many scan tools, especially tools available as GitHub Actions. Harness STO can ingest SARIF 2.1.0 data from any tool that supports this format.
Harness recommends that you publish and ingest using the scanner-specific JSON format when available, because it tends to include more useful information.
- Anchore Enterprise — JSON
- Aqua Security — JSON
- Aqua Trivy — JSON (recommended), SARIF
- AWS ECR — JSON
- AWS Security Hub — JSON
- Bandit — JSON (recommended), SARIF
- Black Duck Hub — JSON
- Brakeman — JSON
- Burp — XML
- Traceable — JSON
- Checkmarx — XML, SARIF
- CheckmarxOne — JSON
- CodeQL — SARIF
- Coverity — XML
- Data Theorem — JSON
- Docker Content Trust — JSON
- Fortify — JSON
- Fortify on Demand — JSON
- Fossa — JSON
- Gitleaks — JSON (recommended), SARIF
- HQL AppScan — XML
- Grype — JSON
- Mend (formerly Whitesource) — JSON
- Nessus — XML
- Nexus — JSON
- Nikto — XML
- Nmap — XML
- OpenVAS — JSON
- OWASP Dependency Check — JSON
- Prisma Cloud — JSON
- Prowler — JSON
- Qualys — XML
- Qwiet — JSON
- Reapsaw — JSON
- Semgrep — SARIF
- Snyk — JSON (recommended), SARIF
- SonarQube — JSON
- Sysdig — JSON
- Tenable — JSON
- Veracode — XML
- JFrog Xray — JSON
- Wiz - JSON (recommended), SARIF
- Zed Attack Proxy (ZAP) — JSON
- Checkov - JSON, SARIF