Generate a Software Bill of Materials (SBOM) with every build in either SPDX or CycloneDX format using your preferred tools. SBOMs are attested using your private key to ensure integrity and authenticity, and are stored alongside the image in the artifact repository. The SBOM Generation step is available in both the Build and Deploy stages of the pipeline
Use enforcement policies to proactively mitigate risks by blocking components based on factors such as component name, version, supplier, PURL, and licensing attributes. The Policy Enforcement step is available in both Build and Deploy stages of the pipeline
Generate provenance in accordance with Supply-chain Levels for Software Artifacts (SLSA) specifications to achieve Level 2 compliance, thereby improving trust and credibility. SLSA provenance captures data like the repository and branch used to build the artifact, as well as who triggered the build.
Verify SLSA provenance to confirm the integrity of the artifact and assure it was produced as expected, guaranteeing no tampering has occurred. The SLSA Verification step in the Deploy stage can be used to verify the provenance generated by Harness or third-party build systems using OPA policies.
Manage risks associated with open-source licenses by defining an allowed list of licenses for use within your organization. Use Policy Enforcement to define license usage policies.
Gain in-depth understanding of each artifact's composition, including all open-source components used in the artifacts and their deployment environments. Track changes across versions to identify when a new component is introduced.
Achieve deeper visibility into the usage of open-source components across all your artifacts and deployments. Track key attributes such as license, supplier, package manager, and PURL for each component.
Instantly assess the impact of a zero-day vulnerability by identifying which artifacts are affected and where they are deployed. Notify owners, track progress, and generate compliance reports once remediation is complete.