Chapters
Try It For Free
Harness
/
Blog
/
Company News
February 4, 2026

Qwiet AI Is Now Harness SAST and SCA | Harness Blog

Renny Shen

All this author’s posts

Modern application security is struggling to keep up with AI-driven development and cloud-native scale, especially when security feels bolted onto CI/CD instead of built in. Harness SAST and SCA bring AI-powered application security testing natively into the Harness platform, reducing noise and alert fatigue. By identifying only vulnerabilities that are actually reachable in production code, teams get findings they can trust and act on faster. Pipeline-native orchestration, unified visibility, and AI-assisted remediation help security scale at the pace of modern software delivery.

If you’re delivering software in 2026, you’re caught in a swirl. AI-assisted coding is accelerating development. Cloud-native architectures are multiplying both microservices and the pipelines required to deliver them. And increasingly, it’s DevOps teams - not dedicated security teams - who need to catch vulnerabilities before they reach production. 

Bolting application security testing (AST) onto your pipelines kinda worked up until now, but with AI accelerating code velocity and cloud scaling complexity, this approach is breaking down. The problem isn't just integrating security tools—it’s the friction they create. Context switching between platforms, alert fatigue from noise, and slowing down pipelines to chase down false positives. Security still feels bolted on—an external gate rather than a native part of how you build and deliver software.

That's why we're bringing AST natively into the Harness platform. Today, we're excited to announce that Qwiet AI—the AI-powered SAST and SCA engine we acquired last year—is now available as Harness SAST and SCA (with 45-day free trial), with pre-configured security steps in Harness Security Testing Orchestration (STO) and full configuration and results visibility directly in the Harness UI. Security testing that feels like it belongs in your pipeline—because it does.

Introducing Harness SAST and SCA

Most AST solutions flood developers with thousands of findings—many of which are theoretical vulnerabilities in code paths that never actually execute in production. This creates alert fatigue and slows down pipelines while teams triage false positives. Harness takes a fundamentally different approach powered by AI and reachability analysis. Instead of flagging every potential vulnerability, we use our patented code property graph (CPG) analysis to understand how data flows through your application—identifying only the vulnerabilities that are actually reachable through execution paths in your code. This means:

  • Fewer false positives, more actionable results—by focusing on reachable vulnerabilities, Harness dramatically reduces noise. Teams spend less time investigating theoretical risks and more time fixing issues that matter.
  • Deep visibility into open source risk—Harness SCA goes beyond basic dependency scanning to identify reachable vulnerabilities in third-party libraries, showing you which CVEs in your dependencies are actually exploitable in your application's context.
  • AI-powered remediation—Harness SAST doesn't just identify vulnerabilities—it helps fix them with specific, actionable fix recommendations that developers can apply directly, based on your application's architecture and the data flows that make the vulnerability exploitable. 

The result? Security findings that developers actually trust—and act on.

Why Pipeline-Native AST Matters 

There’s a dirty secret of application security: every AST tool can integrate with CI/CD. Every vendor claims they shift left. But application security programs still stall at ~20-30% pipeline coverage because the operational burden doesn’t scale. Manual configuration, the need to piece together findings across multiple vendors and tools, and the challenge of orchestrating the right security testing across 100s or 1000s of pipelines all contribute.

When security testing runs as a first-party capability inside your CI/CD platform, three things happen: 

  1. Configuration becomes templated and reusable—you define security steps once and propagate them across pipelines at scale, eliminating the manual toil that kills AppSec coverage. 
  2. Feedback loops collapse—findings surface in the same interface where developers manage builds, deployments, and rollbacks, removing the context-switching tax that causes security issues to languish. 
  3. Orchestration becomes policy-driven—instead of configuring individual scanners, you define what security posture looks like and let the platform take the right actions based on pipeline-level outcomes. 

The result is security testing that actually operationalizes at the pace and scale of modern software delivery—where covering 80% of your pipelines is a matter of policy enforcement, not heroic manual effort.

Pipeline-Native SAST and SCA with Harness

Harness AST combines the accuracy and actionability of Qwiet AI’s scanners with the operationalization at scale on the Harness platform. 

Pre-Defined Security Steps

Along with API Security Testing, Harness SAST and SCA are now available as pre-defined security steps in Security Testing Orchestration. This eliminates the complex setup and configuration work typically required to integrate security testing tools with CI/CD pipelines, allowing you to add security tests in minutes rather than hours. Instead of spending hours configuring a SAST scanner with the right language runtimes, authentication tokens, and result parsers, simply add the 'Harness SAST' step to your pipeline and you're scanning. This standardized approach ensures consistent security coverage across all projects while removing the friction that often causes teams to skip or delay security testing in their CI/CD workflows.

Virtual Pipeline Builder

Having Harness SAST and SCA as pre-configured steps in the STO step library transforms pipeline creation into an intuitive visual workflow. Developers can simply drag and drop security testing steps directly into their pipeline stages in Harness's virtual pipeline builder, selecting from industry-leading scanners without writing YAML configurations, managing container images, or troubleshooting integrations. The visual interface automatically handles the underlying orchestration, allowing teams to see exactly where security gates fit in their deployment workflow and adjust them with simple parameter changes.

Understanding Pipeline Posture with STO

STO provides a unified view of all security findings, consolidating results from Harness SAST and SCA alongside any of the 50+ integrated partner scanners into a single dashboard. Rather than jumping between different tool interfaces or parsing scattered reports, teams can view all vulnerabilities for a specific pipeline or aggregate findings across multiple pipelines to understand their broader application security posture. 

But STO doesn't just aggregate findings—it provides the context developers need to act. For each vulnerability, you can see which pipeline introduced it, which deployment it affects, and what remediation Harness SAST recommends. You can also set exemption policies, track remediation over time, and understand your security posture across the entire application portfolio—all without leaving the Harness platform.

Viewing SAST and SCA Findings

Harness STO displays comprehensive details for every SAST and SCA finding directly in the Harness UI, eliminating the need to switch to external scanner dashboards or export reports. Teams can click into any vulnerability to access full context about the issue, its severity, affected files, and remediation guidance—all within their existing workflow.

For SAST findings, Harness visualizes the complete data flow for each vulnerability, showing the "source-to-sink" execution path that illustrates how untrusted data propagates through application logic and is ultimately used in a sensitive operation. This visual representation provides precise code-level context based on static analysis, helping developers understand not just where a vulnerability exists, but exactly how malicious input could flow through their application to create a security risk. By mapping the entire taint flow, developers can see each step in the vulnerable code path and identify the optimal point for implementing fixes.

Each finding includes AI-powered remediation guidance from Harness, which explains the vulnerability details, the security concept behind why it's dangerous, and specific steps to fix the issue in context. Rather than generic advice, Harness AI analyzes the specific code pattern and provides tailored recommendations that help developers understand both the immediate fix and the underlying security principle, accelerating remediation while improving the team's security knowledge over time.

Try It for Free Today

Ready to experience integrated SAST and SCA in your pipelines? Harness is offering STO customers a 45-day free trial to explore how native application security testing can transform your development workflow. You can add comprehensive code and dependency scanning to your existing pipelines using our visual pipeline builder, consolidate findings into a single dashboard, and leverage AI-powered remediation guidance—all without complex setup or additional infrastructure to manage.

Reach out to your account team to start your free trial today and see how Harness SAST and SCA eliminate the friction that traditionally keeps security testing out of CI/CD pipelines. 

Renny Shen

All this author’s posts

Renny Shen is a 25-year veteran of the technology industry and has deep experience both building and marketing a broad range of products and solutions. His career has run the gamut from scrappy startup to 800-pound gorilla, including stints at F5 Networks, Akamai Technologies, and Checkmarx. Renny currently runs product marketing for Harness’s security products

Previous
Next

Harness Acquires CI Pioneer Drone.io and Commits to Open Source

Harness Cloud Cost Management On AWS Marketplace

Introducing Harness Custom Deployments

Harness Template Library For Continuous Delivery

Helping Enterprises Gain an 'Easy Button' for Continuous Delivery: Announcing Harness Series B Financing

Harness Product Update | February 2021

Harness Product Update | March 2021

Harness Commits New Dev Experience to Drone Community

Harness Product Update | April 2021

Selects Harness over Spinnaker For Secure Continuous Delivery

3X Deployment Frequency & Decreases Deployment Time 75%

Introducing Harness Feature Flags

Harness Product Update | June 2021

Harness AutoStopping™ - FinOps Automation for Intelligent Cloud Cost Optimization

Introducing Harness CI Enterprise

Migrating From Homegrown Feature Flags

Harness Product Update | July 2021

Harness Product Update | August 2021

Announcing Feature Flags Analytics & Business Intelligence

Announcing Templates for Harness CI

Meet the Harnessians: Sony Priyadarshini & Tathagat Chaurasiya

Announcing: GitOps for Harness Feature Flags

Harness Launches Source Available Continuous Delivery

Harness Achieves SOC 2 Compliance

Harness Product Update | January 2022

Introducing Harness GitOps: Enterprise Security, Governance, and Scale for GitOps Deployments

How Harness dashboards enhance software delivery performance

Harness Acquires ChaosNative

Harness Expands Software Delivery Platform

Celebrating our women@harness community on International Women's Day

Celebrating our women@ community on International Women's Day

Celebrating our Women@ community and their impactful work

Introducing AutoStopping for AWS RDS

Harness Product Update | March 2022

Introducing Harness Service Reliability Management

Introducing Harness Security Testing Orchestration

Introducing Harness Chaos Engineering

Harness Valuation Soars to $3.7 Billion With $230 Million in Series D Funding

Introducing Harness Policy as Code, Powered by OPA

Harness Recognized by Inc. as One of the Best Workplaces 2022

Harness AAPI Employee Spotlight

Harness The Power of AWS EKS Anywhere, Now with Bare Metal

Harness Celebrates International Women in Engineering Day

Ensuring CI CD Pipeline Governance

Welcome to the Harness Family, Kustomize!

Introducing The Heroes of Continuous Delivery

Harness announces $115M in new financing with a $1.7B valuation

Harness Product Update | December 2019

How COVID-19 is Impacting Software Delivery

Harness Delivers RBAC For Continuous Delivery

Harness Ships Real-Time Analytics For Continuous Verification

Harness Product Update | April 2018

Harness Product Update for May/June 2018

Harness Product Update | Fall 2018

Harness Product Update | January 2019

Harness Product Update | May 2020

Drone: From Zero to 100 Million Downloads

Insights from Nick Durkin on software delivery and automation

Together, We're 500 Strong

Log4Shell Response

Harness Security Testing Orchestration Module is Now Generally Available to Accelerate Secure Software Delivery

Congratulations to Our Star Performers

Now Generally Available: Harness GitOps-as-a-Service Delivers Scalability, Control, and Security to Enterprises

Harness Celebrates Hispanic + Latino Heritage Month

Harness Honors Harnessians Who Served This Veterans Day

The Data is In: Harness CI is up to 4X faster than Other Solutions

Harness Named Best End-to-End DevOps Tool/Service

Introducing Software Engineering Insights

Harness Expands Chaos Engineering Resiliency Features with Integrated Continuous Delivery

Harness Celebrates Black History Month 2023

Introducing Harness Certified Experts - Continuous Delivery Developer Certification

Introducing Harness Internal Developer Portal - Beta release

Harness recognized as a fast mover in cloud FinOps analysis

Introducing Harness AI - AI Development Assistant for AI Infused Software Delivery

July 2023 Product Updates

Explore the Harness Idea Portal to enhance our product together

August 2023 Product Updates

Growing the Harness Developer Hub

Introducing the Harness CLI

Accelerating Harness CD & GitOps Learning for New Users

Become Harness Certified in CI and CD & GitOps at Any Level

Harness Introduces Four New Modules to Enhance Efficiency, Collaboration, and Security Across the Software Delivery Lifecycle

Harness Announces Engineering Leadership Community to Codify Engineering Excellence Standards

Elevating Harness AI: Harness Unveils 7 New Innovative Capabilities

Introducing Harness Software Supply Chain Assurance (SSCA)

Gitness: Your Ultimate Open Source Development Platform

Introducing Harness Infrastructure as Code Management

Why Platform Engineers Trust Harness

Transforming customer support with AI for faster answers

Harness Product Updates for December 2023. Learn what has changed in Harness over the previous month.

Retiring Harness CD Community Edition in favor of Gitness

Navigate a New Way: Your Dedicated User Experience

Harness Acquires Armory Assets

Announcing new features of Harness Chaos Engineering at the ChaosCarnival 2024

Level Up your Zero-day Vulnerability Remediation and SBOM Quality for a More Secure Software Supply Chain

Introducing Developer 360 pricing by Harness - supercharge your Developer Experience the easy way

Shipped by Harness - April 2024 Product Updates

Celebrating $150M In New Financing to Accelerate Innovation

Welcome Split to the Harness team

LitmusChaos Cloud Migrates to Harness Chaos Engineering Free Plan

Similar Blogs

No items found.
Security & Compliance
Security & Compliance
Security & Compliance
Application Security Testing
Company News
Application Security Testing