Security Testing Orchestration Features

Orchestrate Scanners Inside Harness CI/CD or Standalone Pipeline

Harness Security Testing Orchestration (STO) integrates with multiple open-source and commercial security scanners for secure pipeline development and security testing. Orchestrating application security scanners across software delivery and processing the output of the scanners allows for both enhanced application security and high delivery velocity. STO can be configured to be used with Harness CI/CD or in a standalone mode, integrating with any CI tool.

Flexible Security Scan Data Ingestion Options

Harness STO integrates with multiple scanners and supports use of software artifacts to acquire vulnerability data (such as code repository, container images, instances, or configuration files). 

Vulnerability assessment can be done on each scanner-target combination. Vulnerability data can be acquired for processing in the following ways:

  • Orchestrated workflows — A Security step runs a scan with predefined settings and ingests the results. STO supports orchestrated scans for Trivy, Bandit, SonarQube, and other popular tools.
  • Ingestion-Only workflows — Run a scan in a Run step, or outside the pipeline, and save in a shared folder. A Security step then ingests the results. You can ingest results from highly targeted scan that address specific use case. You can also ingest results from scanners that currently have no STO integration.
  • Data-Load workflows — A Security step downloads and ingests results from an external scanner.This workflow is supported for scanners that provide methods for transferring data programmatically. You can run scans in a separate run step, or outside Harness entirely, and ingest the results into your pipelines. As well as custom scans with advanced settings that address specific security requirements.
  • STO also supports a generic JSON format if you want to to ingest data from tools that do not currently have STO integrations. For more information, go to Custom Scanners Reference.

Security Exemption Review Between Developers and Security

Security vulnerabilities identified during security testing, while often important, are not always actionable. In some scenarios, they may not be applicable to specific development environments or there might be additional complexity in resolving a security issue immediately. For these reasons, security exemptions are an important parcel of secure software development lifecycle. Security stakeholders can grant and manage exemptions on vulnerabilities or issues identified from security scans during various software development stages via Harness STO.

Comprehensive Dashboards and Reporting

The STO dashboards provide a centralized source for aggregating multiple security scanner outputs with customizable views based on roles within the organization. Tailored dashboard views cater to specific organizational needs, providing a common place for security practitioners and developers to collaborate from and to prioritize, remediate, and address code vulnerabilities.

Customizable policies based on the Open Policy Agent (OPA) standard

Harness STO empowers teams to customize governance configuration and enforce requirements as part of the CI/CD pipeline with customizable policies based on the Open Policy Agent (OPA) standard. This provides flexibility to define governance policies as needed across the organization and ensure that code being deployed meets the  organization's specific security standards.

Intelligent Normalization, and Deduplication of Vulnerabilities 

Harness STO eases developer workload by automating security scanning and governance in software delivery with customizable policies based on the Open Policy Agent (OPA) standard. This provides fine-grain control and enforces the execution of all desired security scanners across all stages of the SDLC. As a result, it prevents deployment of any code that has critical vulnerabilities from getting into a production environment.

Orchestrated Scan in an STO Pipeline

An orchestrated scan is a fully automated workflow that scans an object and ingests the results into Harness in one Security step. Orchestrated scans are the easiest to set up and are a great way to get started with STO.

Ingest Scan Results

To ingest scan results from outside a Security step, you set up your pipeline as follows:

  • A Run step saves scan results to a shared folder. The step might run the scan locally or download results from an external source.
  • A Security step ingests the results from the shared folder. Then it analyzes, deduplicates, and displays the results.


Built-in User Management and Authentication

Harness provides built-in access control features including authentication, authorization, and auditing. It also allows you to enforce password policies, such as password strength, periodically expiring passwords, and enforcing two-factor authentication. 

Data Retention (5 years)

CCM has an industry-leading five-year retention period, giving our customers long-term views into their cloud cost history. Data retention policies depend on the Harness product and plan you are using. 

Provisioning Users with Okta (SCIM)

By using Okta as your identity provider, you can efficiently provision and manage users in your Harness Account, Org, and Project. Harness's SCIM integration enables Okta to serve as a single identity manager for adding and removing users and for provisioning User Groups, helping your team gain efficiency for managing many users.

Provision Azure AD Users and Groups (SCIM)

By using Azure AD as your identity provider, you can efficiently provision and manage users in your Harness Account, Org, and Project. Harness' SCIM integration enables Azure AD to serve as a single identity manager for adding and removing users and for provisioning User Groups. This integration improves efficiency when managing large numbers of users.

Provision Users and Groups with OneLogin (SCIM)

You can use OneLogin to provision users and groups in Harness. Harness' SCIM integration enables OneLogin to serve as a single identity manager for adding and removing users. This is especially efficient for managing large numbers of users.

Multiple Organizations

Create organizations and add collaborators so all your organizations can easily work on projects together.

Custom Dashboarding

Create custom dashboards to access the information you need across your entire Harness platform deployment. The dashboard allows you to organize, explore, and present structured data logically. You can use this data to improve deployments and to inform and improve your operations and business decisions.

‍Managed Service Provider (MSP) Enablement

MSPs provide a valuable service to their customers, helping to manage their cloud spend, consumption, and resources. Harness MSP enablement, combined with role-based access control, ensures that customer accounts remain properly segregated for account security. It also ensures correct billing visibility on a per customer basis.


Single Sign-On (SSO) with OAuth 2.0

Harness supports single sign-on (SSO) with OAuth 2.0 identity providers, such as GitHub, Bitbucket, GitLab, LinkedIn, Google, and Azure. These integrations allow you to use an OAuth 2.0 provider to authenticate your Harness Users. Once OAuth 2.0 SSO is enabled, Harness Users can simply log into Harness using their GitHub, Google, or other provider's email address.

Single Sign-On (SSO) with SAML

Harness supports SSO with SAML, integrating with your SAML SSO provider so you can log your users into Harness as part of your SSO infrastructure.

Single Sign-On (SSO) with LDAP

Harness supports SSO with LDAP implementations, including Active Directory and OpenLDAP. Integrating Harness with your LDAP directory enables you to log your LDAP users into Harness as part of Harness' SSO infrastructure. Once you integrate your Harness account with LDAP, you can create a Harness User Group and sync it with your LDAP directory users and groups. The users in your LDAP directory can then log into Harness using their LDAP emails and passwords.

Two-Factor Authentication (2FA)

Harness provides support for 2FA throughout the Harness Software Delivery Platform, with enforcement both at the individual user account level and at the account-wide (all accounts) level. 2FA setup with Harness is easy, using a smartphone-based process using QR codes for initial setup and username/password for all subsequent logins once configured. 


Policy-Based Governance (OPA)

Harness policy-as-code is a centralized policy management and rules service that leverages the Open Policy Agent (OPA) to meet compliance requirements across software delivery and enforce governance policies. Policies are written as declarative code, so they are easy to understand and modify, enabling teams to have autonomy over their processes with oversight and guardrails in place to prevent them from straying from standards. Teams can use policy-as-code to implement global governance policies across all releases, and combine with Pipeline Governance for policies to be implemented on a per-release basis.

RBAC (Role-based Access Control) - Built-in Roles and Custom Roles

Harness provides fine-grained RBAC to enforce separation of duties and control what user groups are granted access to specific resources based on assigned roles. This allows businesses to protect their data and key business processes through company-set rules and roles. Built-in roles are available by default to quickly create the desired permissions at the account, organization, and project level within Harness, as well as the ability to create custom roles for additional flexibility based on business needs that fall outside of the scope provided by default roles. 

Pipeline Governance

Harness Pipeline Governance measures how compliant your feature release pipelines are compared to your regulatory and operations standards. As a deployment pipeline is triggered within Harness, the deployment can require approval before releasing to production based on a “score” that indicates how compliant a given pipeline is before approving .- tThis “score” is made up of individual weighted tags that, together, determine the level of compliance. 

Audit Trail (2-year data retention)

Harness Audit Trails provide the visibility needed to meet organizational governance needs and prepare for external audits. With Harness Audit Trails, you can view and track changes to your Harness resources within your Harness account with data stored from up to two years prior. Without this data, developers are forced to manually compile information for audits.


Harness provides a flexible hosting model that allows for full SaaS implementations, full on-premise implementations, and hybrid implementations. These flexible models allow companies with a variety of security requirements to use Harness Feature Flags.

Hosting includes:

  • SaaS or on-premise deployment options available
  • Automatic horizontal scaling and high availability
  • Automatic backups and disaster recovery
  • SLA guarantee


Those using open source and source-available products from Harness can access to leverage our community-supported knowledge base contributed to by both Harness staff and Harness users. 


Harness standard support, included for all Harness customers on a paid contract, includes coverage from 9am to 5pm Monday through Friday, with response times indicated in the table below based on the severity of the need. Support entitlements are provided for two named admins for each customer. 


Harness standard support, included for all Harness customers on a paid contract, includes coverage 24 hours a day, 7 days a week, with response times indicated in the table below based on the severity of the need. Also included at the Premier support level are Zoom-based communication as well as post-incident reports. Support entitlements are provided to all customer staff. 

Request an STO Demo

Automated DevSecOps for CI/CD Pipelines. Proactive application security scanning and governance for engineering and DevSecOps. Replace manual efforts, reduce toil and minimize risk associated with software vulnerabilities. Request your demo today.

Request an STO Demo