SBOM Generation and Attestation

Automate SBOM generation in your Harness pipelines

Generate a Software Bill of Materials (SBOM) with every build in either SPDX or CycloneDX format using your preferred tools. SBOMs are attested using your private key to ensure integrity and authenticity, and are stored alongside the image in the artifact repository. The SBOM Generation step is available in both the Build and Deploy stages of the pipeline

SBOM Scoring and Drift Detection

Assess the overall quality of SBOMs based on a variety of key aspects, such as NTIA-minimum elements, structural characteristics and semantics. Automatically run detailed SBOM drift analysis to reduce the risks of missing newly introduced vulnerabilities or falling out of compliance with licensing and security policies.

Policy Enforcement

Allow only compliant artifacts

Use enforcement policies to proactively mitigate risks by blocking components based on factors such as component name, version, supplier, PURL, and licensing attributes. The Policy Enforcement step is available in both Build and Deploy stages of the pipeline

SLSA Provenance Generation

Build trust in your artifacts

Generate provenance in accordance with Supply-chain Levels for Software Artifacts (SLSA) specifications to achieve Level 3 compliance, thereby improving trust and credibility. SLSA provenance captures data like the repository and branch used to build the artifact, as well as who triggered the build.

SLSA Provenance Verification

Ensure artifact integrity before deployment

Verify SLSA provenance to confirm the integrity of the artifact and assure it was produced as expected, guaranteeing no tampering has occurred. The SLSA Verification step in the Deploy stage can be used to verify the provenance generated by Harness or third-party build systems using OPA policies.

License Compliance

Mitigate legal risks

Manage risks associated with open-source licenses by defining an allowed list of licenses for use within your organization. Use Policy Enforcement to define license usage policies.

Artifact composition and usage view


Track component usage to deployment

Gain in-depth understanding of each artifact's composition, including all open-source components used in the artifacts and their deployment environments. Track changes across versions to identify when a new component is introduced.

Component Usage Insights


Comprehensive component visibility

Achieve deeper visibility into the usage of open-source components across all your artifacts and deployments. Track key attributes such as license, supplier, package manager, and PURL for each component.

Remediation workflow


Eliminate blind spots in your remediation effort

Instantly assess the impact of a zero-day vulnerability by identifying which artifacts are affected and where they are deployed. Notify owners, track progress, and generate compliance reports once remediation is complete.

Software Supply Chain Assurance