Feature Requests

Noticed that some of our images are pinned in our instance of Harness but STO didn't respect the pin. Some customers might want to not run the latest...

Mend has a newer CLI tool and v3.0 API, and is compatible with Mend’s SCA, SAST, and Container scanners We'd like to have the Mend Runner updated, so that these new functions can be utilized

Many teams use not only CI when deploying infrastructure, and we need to enable (and enforce via OPA) teams to scan their IAC before deploying. Currently there is no way to perform Wiz Native scanning or using Custom Scan Ingestion steps (two different solutions) within CD or Custom Stages. We need teams to be able to view their vulnerabilities regardless of the stage they are deploying.

We want to remove the specific value "For All Time" field for the "how long?" field. Ideally, being able to customize the values in the drop down would be the goal. Specifically, we want to remove For All Time, because the developers want to submit exemptions with the max time, but there are no reasons why we would allow a "for All Time" value. It doesn't appear that OPA allows us to control value or control the submission routine. This causes problems for us because it adds unnecessary delays when people submit a request for "For All Time"

utilzing the Issue Exemption Workflow | Harness Developer Hub We need a method to set the notifications for an exemption to go to a particular group of people. This notification should ONLY be for exemption requests. For our particulat needs, this needs to support sending a notification to a MS Teams channel. We want something similar to https://developer.harness.io/docs/continuous-delivery/cd-onboarding/existing-user/ms-teams-notification-for-events-approvals/ , but for the exemptions specifically It is important that this notification is separate from the general Pipeline Notifications, as the groups that need to be notified would be different. As an example, Pipeline notifications would go to the developers, and the exemptions need to go to more senior/security staff

We have common base images that are used across all development teams. We want to be able to reference the container image pipeline that scanned and produced the base image in STO baselines across projects and orgs. As it stands now, we would need to scan the common base image an excessive amount since each project needs to scan the common image

Currently, when a user is added at the Account level and subsequently granted Role Binding at the Project level, the user details of the requester or approver in Security Exemption are not visible to the user. We’ve identified that users need Account-level User View access to view the Security Exemption users. To address this, we require that Security Exemption views be made compatible with Project level User View access.

add support for the aqua trivy fs (file system) scan which scans a code repo/files. https://trivy.dev/v0.51/docs/target/filesystem/

Add aqua security on-prem support, which requires adding auth support for username/password. Confirmed with Aqua Security, our partner, than the on-prem does not support long-lived tokens and just the username and password for auth. Today aqua security native STO step only support SaaS version and auth method as Token.

Currently Harness STO module does not have option for ORCA integration for vulnerability scan. Raising this enhancement request to support this integration.