Cloud costs
April 5, 2024
min read

Making Shift-left Security Even Easier: Built-in Scanners and Automatic Configuration with Harness STO


Even with our integrated platform approach to shift-left security through the Harness STO (Security Testing Orchestration) module, we still found a few new ways to enhance the simplicity of configuring and orchestrating security scanners throughout development pipelines.

When we first dove into shift-left security, we quickly learned that when it comes to security scanners across all five major classes (SAST, DAST, SCA, Container, and Secrets detection), users tend to have strong preferences for specific scanners and therefore value freedom of choice. This is why Harness built integrations with over 40 of the top commercially-available scanners. But what about customers who are just getting started with figuring out their shift-left security approach and aren’t yet ready to integrate commercial scanners with Harness STO?

For those users still figuring out the initial stages of their shift-left security strategy, we’ve created an easy on-ramp to running application security testing through a set of fully built-in open-source scanners available in the Harness Platform’s step library, shown below:

Built-in open source scanners in Harness Step Library

Supported Built-in Open Source Scanners

  • SCA: OWASP & Google OSV
  • Secret Detection: Gitleaks
  • Container: Aqua Trivy & Anchor Gryp
  • SAST: Semgrep (coming soon)

Any of these five open-source scanners can be added to your pipelines quickly and with minimal configuration. The scanners used in these steps are free to STO users and are ready to run as soon as you add them to your pipeline. Working with these built-in scanners is a great way to jumpstart your DevSecOps practices without developer toil.

We’ve also made scanner configuration more efficient, which pays off in situations where multiple scans are being added as parallel pipeline steps. Rather than manually entering values for targets and variants for security test steps with configurable UIs, such as Aqua Trivy, Semgrep, and ZAP, Harness STO now offers an auto-detection option for these parameters. This feature reduces toil and error.


Scanner configuration window with option for Target and Variant auto-detection

Want to learn more about how Harness STO helps you shift security left? Visit the STO product page or sign up for a demo with one of our experts!

Sign up now

Sign up for our free plan, start building and deploying with Harness, take your software delivery to the next level.

Get a demo

Sign up for a free 14 day trial and take your software development to the next level


Learn intelligent software delivery at your own pace. Step-by-step tutorials, videos, and reference docs to help you deliver customer happiness.

Case studies

Learn intelligent software delivery at your own pace. Step-by-step tutorials, videos, and reference docs to help you deliver customer happiness.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback?
Share your thoughts by creating a new topic in the Harness community forum.

Sign up for our monthly newsletter

Subscribe to our newsletter to receive the latest Harness content in your inbox every month.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Security Testing Orchestration