.svg)
SBOM Generation and Attestation
Automate SBOM generation in your Harness pipelines
Generate a Software Bill of Materials (SBOM) with every build in either SPDX or CycloneDX format using your preferred tools. SBOMs are attested using your private key to ensure integrity and authenticity, and are stored alongside the image in the artifact repository. The SBOM Generation step is available in both the Build and Deploy stages of the pipeline
SBOM Scoring and Drift Detection
Assess the overall quality of SBOMs based on a variety of key aspects, such as NTIA-minimum elements, structural characteristics and semantics. Automatically run detailed SBOM drift analysis to reduce the risks of missing newly introduced vulnerabilities or falling out of compliance with licensing and security policies.
.webp)
Policy Enforcement
Allow only compliant artifacts
Use enforcement policies to proactively mitigate risks by blocking components based on factors such as component name, version, supplier, PURL, and licensing attributes. The Policy Enforcement step is available in both Build and Deploy stages of the pipeline
.webp)
.webp)
SLSA Provenance Generation
Build trust in your artifacts
Generate provenance in accordance with Supply-chain Levels for Software Artifacts (SLSA) specifications to achieve Level 3 compliance, thereby improving trust and credibility. SLSA provenance captures data like the repository and branch used to build the artifact, as well as who triggered the build.
.webp)
.webp)
SLSA Provenance Verification
Ensure artifact integrity before deployment
Verify SLSA provenance to confirm the integrity of the artifact and assure it was produced as expected, guaranteeing no tampering has occurred. The SLSA Verification step in the Deploy stage can be used to verify the provenance generated by Harness or third-party build systems using OPA policies.
License Compliance
Mitigate legal risks
Manage risks associated with open-source licenses by defining an allowed list of licenses for use within your organization. Use Policy Enforcement to define license usage policies.
Artifact composition and usage view
COMING SOON
Track component usage to deployment
Gain in-depth understanding of each artifact's composition, including all open-source components used in the artifacts and their deployment environments. Track changes across versions to identify when a new component is introduced.
Component Usage Insights
COMING SOON
Comprehensive component visibility
Achieve deeper visibility into the usage of open-source components across all your artifacts and deployments. Track key attributes such as license, supplier, package manager, and PURL for each component.
Remediation workflow
COMING SOON
Eliminate blind spots in your remediation effort
Instantly assess the impact of a zero-day vulnerability by identifying which artifacts are affected and where they are deployed. Notify owners, track progress, and generate compliance reports once remediation is complete.
