Featured Blogs

Harness has been recognized as a Leader in the 2026 Gartner® Magic Quadrant™ for DevSecOps Platforms for the third consecutive year. Harness was also positioned furthest on the Completeness of Vision axis in the report.
Our Key takeaways:
- Harness is named a Leader for the third consecutive year
- Harness is positioned furthest on the Completeness of Vision axis
- Harness continues investing in governed, AI-powered DevSecOps
Harness is the AI platform for engineering, security, and operations teams to build, secure, deploy, govern, and optimize software delivery across the SDLC.
We believe our recognition in the Gartner Magic Quadrant for DevSecOps Platforms reflects the continued evolution of the Harness platform and our commitment to helping teams deliver software faster, safer, and with greater governance across the software delivery lifecycle.
We’re thrilled to share this recognition, which we believe reflects the strength of our product strategy, the breadth of our platform, and our continued investment in helping enterprises modernize software delivery with security, reliability, cost management, and AI built into the development lifecycle.
Today, organizations across industries like United Airlines, Ancestry, and Citi rely on Harness to reduce delivery complexity, improve developer productivity, strengthen governance, and accelerate innovation across increasingly complex software environments.
Why This Matters Now
Software delivery has entered a new era. AI coding assistants are helping teams create software faster than ever, but faster code generation also means more changes, more tests, more vulnerabilities, more deployments, and more incidents for organizations to manage. The next era of DevSecOps will not be defined by who can generate code faster. It will be defined by who can safely convert that speed into reliable business outcomes.
Our view is that the future of DevSecOps is autonomous AI agents, governed and directed by expert engineers. As humans and AI agents both contribute to software change, enterprises will need one connected platform to understand, validate, secure, deploy, observe, optimize, roll back, and prove every change across the software delivery lifecycle.
Our Journey
As a pioneer in modern software delivery, Harness offers over 15 platform products and has built one of the industry’s most comprehensive platforms to support the full spectrum of application development, deployment, security, reliability, feature management, cost management, and operations.
Harness has evolved through a combination of product innovation, internal entrepreneurship, open source investment, and strategic acquisitions. We believe our recognition as furthest on the Completeness of Vision axis in the 2026 Gartner® Magic Quadrant™ for DevSecOps Platforms is proof that Harness is solving problems for our customers in a measurable way.
Over the past year, Harness has continued to expand platform capabilities and AI agents across:
- Security and risk management
- AI-native testing capabilities including flaky test detection and AI impact testing
- Feature Management and Experimentation
- Cloud and AI Cost Management
- AI DLC insights
- Resilience Testing, and more
This matters because software delivery is no longer just about building and deploying code. Teams must now manage security risk, release complexity, infrastructure cost, compliance requirements, production reliability, and the growing impact of AI-generated software. The Harness platform allows teams to adopt what they need, when they need it, in one place.
With operations across North America, Europe, APAC, Latin America, and India, Harness serves organizations of all sizes across industries. Customers choose Harness not only for the breadth of the platform but also for the flexibility to adopt individual modules or the full platform based on their needs, maturity, and business priorities.
What’s Next for Harness
This recognition in our opinion is a milestone, and we’re proud, but we’re even more excited by the road ahead.
We build security in the software delivery lifecycle natively, not as a separate stage or disconnected toolchain. As AI increases the volume of code, changes, and security findings, enterprises will need platforms that connect detection, prioritization, policy, remediation, deployment, and runtime defense into a single, governed workflow.
Harness is focused on helping enterprises meet that moment. We will continue investing in AI software delivery to help teams move faster without losing control. Our goal is to help every organization deliver software that is faster to build, safer to release, easier to govern, and more resilient in production.
Thank you to our customers, partners, employees, and community for your continued trust. We’re excited about the journey ahead and can’t wait to show you what’s next.
Learn More
Get a complimentary copy of the 2026 Gartner® Magic Quadrant™ for DevSecOps Platforms.
Or, to talk to someone about Harness, please contact us.
Gartner Disclaimer
Gartner, Magic Quadrant for DevSecOps Platforms, 2026, Keith Mann, Thomas Murphy, Bill Holz, 15 June 2026
Gartner does not endorse any vendor, product, or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, and Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

If 2024 was the year AI started quietly showing up in our workflows, 2025 was the year it kicked the door down.
AI-generated code and AI-powered workflows have become part of nearly every software team’s daily rhythm. Developers are moving faster than ever, automation is woven into every step, and new assistants seem to appear in the pipeline every week.
I’ve spent most of my career on both sides of the equation — first in security, then leading engineering teams — and I’ve seen plenty of “next big things” come and go. But this shift feels different. Developers are generating twice the code in half the time. It’s a massive leap forward — and a wake-up call for how we think about security.
The Question Everyone’s Asking
The question I hear most often is, “Has AI made coding less secure?”
Honestly, not really. The code itself isn’t necessarily worse — in fact, a lot of it’s surprisingly good. The real issue isn’t the quality of the code. It’s the sheer volume of it. More code means more surface area: more endpoints, more integrations, more places for something to go wrong.
Harness recently surveyed 500 security practitioners and decision makers responsible for securing AI-native applications from the United States, UK, Germany, and France to share findings on global security practices. In our latest report, The State of AI-Native Application Security 2025, 82% of security practitioners said AI-native applications are the new frontier for cybercriminals, and 63% believe these apps are more vulnerable than traditional ones.
It’s like a farmer suddenly planting five times more crops. The soil hasn’t changed, but now there’s five times more to water, tend, and protect from bugs. The same applies to software. Five times more code doesn’t just mean five times more innovation — it means five times more vulnerabilities to manage.
And the tools we’ve relied on for years weren’t built for this. Traditional security systems were designed for static codebases that changed every few months, not adaptive, learning models that evolve daily. They simply can’t keep pace.
And this is where visibility collapses.
The AI Visibility Problem
In our research, 63% of security practitioners said they have no visibility into where large language models are being used across their organizations. That’s the real crisis — not bad actors or broken tools, but the lack of understanding about what’s actually running and where AI is operating.
When a developer spins up a new AI assistant on their laptop or an analyst scripts a quick workflow in an unapproved tool, it’s not because they want to create risk. It’s because they want to move faster. The intent is good, but the oversight just isn’t there yet.
The problem is that our governance and visibility models haven’t caught up. Traditional security tools were built for systems we could fully map and predict. You can’t monitor a generative model the same way you monitor a server — it behaves differently, evolves differently, and requires a different kind of visibility.
Security Has to Move Closer to Engineering
Security has to live where engineering lives — inside the pipeline, not outside it.
That’s why we’re focused on everything after code: using AI to continuously test, validate, and secure applications after the code is written. Because asking humans to manually keep up with AI speed is a losing game.
If security stays at a checkpoint after development, we’ll always be behind. The future is continuous — continuous delivery, continuous validation, continuous visibility.
Developers Don’t Need to Slow Down — They Need Guardrails
In the same report, 74% of security leaders said developers view security as a barrier to innovation. I get it — security has a reputation for saying “no.” But the future of software delivery depends on us saying “yes, and safely.”
Developers shouldn’t have to slow down. They need guardrails that let them move quickly without losing control. That means automation that quietly scans for secrets, flags risky dependencies, and tests AI-generated code in real time — all without interrupting the creative flow.
AI isn’t replacing developers; it’s amplifying them. The teams that learn to work with it effectively will outpace everyone else.
Seeing What Matters
We’re generating more innovation than ever before, but if we can’t see where AI is working or what it’s touching, we’re flying blind.
Visibility is the foundation:
- Map where AI exists across your workflows, models, and pipelines.
- Automate validation so issues are caught continuously, not just at release time.
- Embed governance early, not as an afterthought.
- Align security and development around shared goals and shared ownership.
AI isn’t creating chaos — it’s revealing the chaos that was already there. And that’s an opportunity. Once you can see it, you can fix it.
You can read the full State of AI-Native Application Security 2025 report here.

Incident Date: March 14th, 2024 (discovered)
CVE: CVE-2025-30066
Updates on the incident
This section will be updated regularly based on available information, and analysis related to the incident. Following the report on the tj-actions/changed-files supply chain attack, new findings from Wiz Research reveal that the compromise may have originated from a separate attack on reviewdog/actions-setup@v1. This newly discovered breach likely led to the compromise of the tj-actions-bot's GitHub Personal Access Token (PAT), enabling attackers to modify the tj-actions/changed-files repository and cause widespread secret leaks. The attack involved injecting a base64-encoded payload directly into the install.sh script, impacting CI workflows across multiple repositories.
Given that reviewdog/actions-setup@v1 was compromised before the tj-actions incident and later stealthily reverted, there is a significant risk of recurrence. Security teams should take immediate action by identifying affected repositories, removing references to impacted actions, rotating any potentially exposed credentials, and enforcing stricter security practices such as pinning GitHub Actions to specific commit hashes. Wiz has disclosed these findings to reviewdog and GitHub, and we continue to monitor developments to prevent further supply chain threats.
Overview
On March 14, 2025, a major supply chain attack compromised the tj-actions/changed-files GitHub Action, widely used across 23,000+ repositories. The attackers modified the action’s code and updated multiple version tags to a malicious commit, causing workflows to execute a script that leaked sensitive CI/CD secrets through workflow logs.The compromise is also being tracked as a vulnerability, and has been assigned CVE-2025-30066.
Breaking Down the Attack
The attackers injected malicious code by spoofing the commit with a Node.js function including base64-encoded payloads, which were added to the GitHub Action tags. The payload, once decoded, revealed a script that downloaded additional malicious Python code from a GitHub Gist. The Python script then scanned the memory of the GitHub Runner’s "Runner.worker" process for sensitive credentials using regular expressions. Finally, the extracted secrets were printed in the workflow logs, exposing them to unauthorized access.
.png)
Immediate Measures to Control the Impact
To mitigate the risks associated with this attack, consider the following immediate actions:
- Allow-List GitHub Actions: Use GitHub’s allow-list to block compromised actions and keep it updated with trusted ones.
- Pin GitHub Actions to Specific Commit SHAs: Avoid using floating tags (@v35, @latest); always pin to a specific SHA for security.
- Rotate Secrets: Monitor logs for suspicious activity and immediately rotate any compromised secrets.
- Manage Workflow Logs: Delete affected logs after analysis to remove traces of exposed secrets.
How can Harness SCS help?
Harness Supply Chain Security (SCS) proactively secures your software supply chain by identifying and mitigating risks within your workflows. It scans for unverified dependencies, unpinned GitHub Actions, and critical security misconfigurations, ensuring vulnerabilities are detected and addressed before they can be exploited. Harness also enforces supply chain benchmarks, performs comprehensive security checks, and implements proactive measures to prevent future attacks.

1. Identify Unpinned Actions: Harness SCS detects unpinned actions in the pipeline workflow. Unpinned GitHub Actions can be modified, allowing attackers to inject malicious code into pipelines, potentially exposing secrets or altering source code.
2. Restrict Action Permissions: Running unverified GitHub Actions without restrictions increases the risk of executing malicious code from compromised or hijacked actions. Enforcing minimal permissions helps limit potential damage and enhance security.
3. Minimal Token Permissions: Use Harness SCS to find and apply minimal token permissions for GitHub Actions, reducing exposure and ensuring adherence to the principle of least privilege.

The SCS module provide additional rules to minimize the blast radius of supply chain risks or attacks, limiting the attack surface and strengthening security.
Integrating Harness SCS Runtime Analysis with Traceable - Coming Soon!
.png)
The Traceable eBPF agent is set to offer several features that will significantly enhance runtime protection for both GitHub Actions and Harness CI in the future:
- Detect Leaked Secrets: By integrating with GitHub’s log API, it will be able to detect sensitive secrets exposed in logs, helping to mitigate the risk of data leakage.
- Monitor External URLs: The agent will be capable of spotting unusual GitHub Action calls to external URLs, using a baseline technique to reduce noise and improve detection of suspicious activities.
- Identify Malicious RCE: It will also be able to detect malicious remote code execution (RCE) calls, such as scripts trying to print environment variables, helping to block potential threats before they escalate.
Conclusion
The tj-actions/changed-files supply chain attack highlights the increasing risks in CI/CD security. To prevent similar incidents, organizations must adopt proactive security measures and follow best practices, such as using pinned actions, auditing workflows, and enforcing strict access controls. Consider using the Harness SCS to prevent future attacks.
































.png)








