Security Scanning
Set up security scanning using sto-sast-primer and optionally ci-sto-hcr-standard.
Module directories:
- •
sto-sast-primer/— SAST/SCA scanning templates - •
ci-sto-hcr-standard/— CI + STO with Harness Code Repository
$ARGUMENTS
What These Create
sto-sast-primer
- •Pipeline templates for security scanning (standard + HCR variants)
- •Stage templates for STO execution
- •Step group templates for each scanner:
- •Gitleaks — secret detection in code
- •OSV — open-source vulnerability database scanning
- •OWASP Dependency Check — dependency analysis
- •Semgrep — static code analysis patterns
- •STO Config Manager for global exclusions (optional)
- •Harness Code Repository for exclusion config storage (optional)
ci-sto-hcr-standard
- •Complete CI + STO pipeline with Harness Code Repository
- •Repository with branch protection rules
- •Webhook triggers for Push, PR, and Main events
- •Input sets for pipeline execution
Resource Requirements
Default resource allocations per scanner (important for K8s capacity planning):
| Scanner | CPU | Memory |
|---|---|---|
| Gitleaks | 0.4 | 600Mi |
| OSV | 1 | 2Gi |
| OWASP | 2 | 6Gi |
| Semgrep | 2 | 4Gi |
Conversation Flow
- •
Auto-detect org/project from upstream state.
- •
"Where should scanning templates be deployed?" → org/project or account level
- •
"Which scanners do you want?" (default: all four)
- •Gitleaks — finds hardcoded secrets
- •OSV — checks dependencies against vulnerability databases
- •OWASP — comprehensive dependency analysis
- •Semgrep — finds code anti-patterns and security issues
- •
"Will scans run on Harness Cloud or self-hosted Kubernetes?"
- •Self-hosted → ask for kubernetes_connector
- •Harness Cloud → set to "skipped"
- •
"Do you need custom scanner images or resource limits?" (most users: no)
- •
"Do you want the STO global exclusions config manager?" (recommended: yes)
- •
Generate tfvars for
sto-sast-primer, deploy. - •
"Do you also want the full CI + STO + Harness Code Repository pipeline?" →
ci-sto-hcr-standard
Prerequisites
- •None strictly required (can deploy at account level)
- •Organization/project recommended for proper scoping