Scan your code, containers and live apps
Harness STO enables DevOps and Security teams teams to left shift security testing as a key outcome of their DevSecOps initiative. STO orchestrates scanning, intelligently deduplicating scanner output, prioritizing remediations, and enforcing governance into your Pipeline. STO puts scanning directly into your Pipelines to ensure that vulnerabilities are caught and fixed before your products are ever released.
Featured Tutorials
15min
Your first STO pipeline
Set up a Pipeline with one scanner, run scans, analyze the results, and learn the key features of STO.
15min
Create a build-scan-push pipeline (STO only)
Set up an end-to-end STO pipeline that scans your codebase. Then it builds an image and scans it. If the image scan detects no critical issues, the pipeline pushes the image to your registry.
All STO Tutorials
5min
STO Overview
Learn how Harness STO can help you solve your security scanning problems.
15min
Your first STO pipeline
Set up a Pipeline with one scanner, run scans, analyze the results, and learn the key features of STO.
10min
SAST codebase scans with Semgrep
Quickly set up a pipeline to scan codebases using Semgrep, which supports a wide variety of languages.
10min
Container image scans with Aqua Trivy
Quickly set up a pipeline to scan container images using the open-source Aqua Trivy scanner.
10min
DAST web app scans with Zed Attack Proxy
Quickly set up a pipeline to scan a web app using Zed Attack Proxy.
10min
Trigger automated scans using GitLab merge requests
Learn how to launch pipeline builds and scans automatically based on GitLab events.
15min
Create a build-scan-push pipeline (STO only)
Set up an end-to-end STO pipeline that scans code, builds an image, and scans it. If the image scan detects no critical issues, the pipeline pushes the image to your image registry.
15min
Create a build-scan-push pipeline (STO and CI)
Set up an end-to-end STO/CI pipeline that scans your codebase, builds/pushes a test image, and then scans it. If there are no critical issues, the pipeline builds/pushes a prod image.