configure-repo-scan
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseConfigure Repo Scan
配置代码库扫描
Add code scanning steps to existing Harness pipelines using STO security scanners.
使用STO安全扫描器为现有Harness流水线添加代码扫描步骤。
Instructions
操作说明
Step 1: Establish Scope and Pipeline Context
步骤1:确定范围和流水线上下文
Ask the user for the organization, project, and pipeline identifier if not already known. This skill only works with existing pipelines.
Once you have the identifiers, fetch the pipeline definition:
Call MCP tool: harness_get
Parameters:
resource_type: "pipeline"
resource_id: "<pipeline_identifier>"
org_id: "<organization>"
project_id: "<project>"如果尚未知晓组织、项目和流水线标识符,请向用户询问。此技能仅适用于现有流水线。
获取到标识符后,获取流水线定义:
Call MCP tool: harness_get
Parameters:
resource_type: "pipeline"
resource_id: "<pipeline_identifier>"
org_id: "<organization>"
project_id: "<project>"Step 2: Extract Repository Connector from Pipeline
步骤2:从流水线中提取代码库连接器
Parse the pipeline YAML from Step 1 to automatically identify the repository connector used in the pipeline.
Look for the connector reference in the pipeline structure:
- For v0 pipelines: Check
pipeline.properties.ci.codebase.connectorRef - For v1 pipelines: Check the codebase connector in the pipeline configuration
If no connector is found in the pipeline, inform the user that the pipeline does not have a codebase configuration and cannot proceed with repo scanning.
解析步骤1中的流水线YAML,自动识别流水线中使用的代码库连接器。
在流水线结构中查找连接器引用:
- 对于v0版本流水线:检查
pipeline.properties.ci.codebase.connectorRef - 对于v1版本流水线:检查流水线配置中的代码库连接器
如果在流水线中未找到连接器,请告知用户该流水线没有代码库配置,无法继续进行代码库扫描。
Step 3: Analyze Pipeline Structure
步骤3:分析流水线结构
Parse the pipeline YAML from Step 1 to identify:
- All stages (CI, Deployment, Approval, Custom)
- All steps within each stage
- Existing security scanning steps (if any)
Present a structured view to the user showing:
Pipeline: <name>
Stage 1: <stage_name> (type: <stage_type>)
- Step 1: <step_name> (type: <step_type>)
- Step 2: <step_name> (type: <step_type>)
...
Stage 2: <stage_name> (type: <stage_type>)
- Step 1: <step_name> (type: <step_type>)
...Ask the user where they would like to insert the code scanner step:
- "Before which step?" or "After which step?" or "At the end of which stage?"
- Provide suggestions (e.g., "I recommend adding it after the build step but before deployment")
解析步骤1中的流水线YAML,识别:
- 所有阶段(CI、部署、审批、自定义)
- 每个阶段内的所有步骤
- 已有的安全扫描步骤(如果有)
向用户展示结构化视图:
Pipeline: <name>
Stage 1: <stage_name> (type: <stage_type>)
- Step 1: <step_name> (type: <step_type>)
- Step 2: <step_name> (type: <step_type>)
...
Stage 2: <stage_name> (type: <stage_type>)
- Step 1: <step_name> (type: <step_type>)
...询问用户希望在何处插入代码扫描步骤:
- “在哪个步骤之前?”或“在哪个步骤之后?”或“在哪个阶段的末尾?”
- 提供建议(例如:“我建议在构建步骤之后、部署之前添加扫描步骤”)
Step 4: Recommend Scanner Type
步骤4:推荐扫描器类型
Present the available SAST scanners supported in Harness STO:
Available SAST Scanners:
- Harness Code (default - native Harness scanner)
- Bandit (open-source, Python)
- Black Duck (by Synopsys)
- Brakeman (open-source, Ruby)
- Checkmarx
- Checkmarx One
- Coverity (open-source)
- CodeQL
- FOSSA
- GitHub Advanced Security
- Mend (formerly WhiteSource)
- Semgrep (open-source)
- Snyk
- SonarQube
- Veracode
- Wiz
Default recommendation: Use Harness Code as the native Harness SAST scanner. It provides integrated security scanning with minimal configuration and seamless integration with Harness STO.
Ask the user which scanner they prefer. If they don't specify, use Harness Code as the default.
展示Harness STO支持的可用SAST扫描器:
可用SAST扫描器:
- Harness Code(默认选项 - Harness原生扫描器)
- Bandit(开源,适用于Python)
- Black Duck(由Synopsys提供)
- Brakeman(开源,适用于Ruby)
- Checkmarx
- Checkmarx One
- Coverity(开源)
- CodeQL
- FOSSA
- GitHub Advanced Security
- Mend(前身为WhiteSource)
- Semgrep(开源)
- Snyk
- SonarQube
- Veracode
- Wiz
默认推荐: 使用Harness Code作为Harness原生SAST扫描器。它提供集成式安全扫描,配置简单,可与Harness STO无缝集成。
询问用户偏好的扫描器。如果用户未指定,则默认使用Harness Code。
Step 5: Generate Scanner Step Configuration
步骤5:生成扫描器步骤配置
Based on the scanner choice and connector from Step 2, generate the appropriate step YAML. The scanner step should be a native Harness STO step, not a Run step.
For Harness Code (default):
yaml
- step:
identifier: harness_code_scan
name: Harness Code Scan
type: HarnessSAST
spec:
mode: orchestration
config: sast_sca
target:
type: repository
detection: auto
advanced:
log:
level: infoFor Bandit (Python):
yaml
- step:
identifier: bandit_scan
name: Bandit SAST
type: Bandit
spec:
mode: orchestration
config: default
target:
type: repository
detection: auto
advanced:
log:
level: infoFor Semgrep:
yaml
- step:
identifier: semgrep_scan
name: Semgrep SAST
type: Semgrep
spec:
mode: orchestration
config: default
target:
type: repository
detection: auto
advanced:
log:
level: infoFor other scanners: Reference for scanner-specific configuration.
references/scanner-types.md根据步骤2中选择的扫描器和连接器,生成对应的步骤YAML。扫描器步骤应为Harness STO原生步骤,而非Run步骤。
对于Harness Code(默认选项):
yaml
- step:
identifier: harness_code_scan
name: Harness Code Scan
type: HarnessSAST
spec:
mode: orchestration
config: sast_sca
target:
type: repository
detection: auto
advanced:
log:
level: info对于Bandit(Python):
yaml
- step:
identifier: bandit_scan
name: Bandit SAST
type: Bandit
spec:
mode: orchestration
config: default
target:
type: repository
detection: auto
advanced:
log:
level: info对于Semgrep:
yaml
- step:
identifier: semgrep_scan
name: Semgrep SAST
type: Semgrep
spec:
mode: orchestration
config: default
target:
type: repository
detection: auto
advanced:
log:
level: info对于其他扫描器: 参考获取扫描器专属配置。
references/scanner-types.mdStep 6: Insert Step into Pipeline YAML
步骤6:将步骤插入流水线YAML
Insert the generated scanner step YAML at the location chosen in Step 3. Ensure proper indentation and structure.
Key rules:
- Scanner steps should be added to CI stages (type: CI), not Deployment or Approval stages
- Scanner steps should typically run after code checkout but before deployment
- If the pipeline has a setting, the scanner will have access to the source code
cloneCodebase: true - The scanner step should be added to the array within the chosen stage
execution.steps
Create the updated pipeline YAML with the scanner step inserted.
将生成的扫描器步骤YAML插入步骤3中选定的位置。确保缩进和结构正确。
关键规则:
- 扫描器步骤应添加到CI阶段(类型:CI),而非部署或审批阶段
- 扫描器步骤通常应在代码检出后、部署前运行
- 如果流水线设置了,扫描器将能访问源代码
cloneCodebase: true - 扫描器步骤应添加到选定阶段的数组中
execution.steps
创建已插入扫描器步骤的更新版流水线YAML。
Step 7: Update Pipeline via MCP
步骤7:通过MCP更新流水线
Update the pipeline with the new scanner step:
Call MCP tool: harness_update
Parameters:
resource_type: "pipeline"
resource_id: "<pipeline_identifier>"
org_id: "<organization>"
project_id: "<project>"
body: { yamlPipeline: "<updated pipeline YAML string>" }使用新的扫描器步骤更新流水线:
Call MCP tool: harness_update
Parameters:
resource_type: "pipeline"
resource_id: "<pipeline_identifier>"
org_id: "<organization>"
project_id: "<project>"
body: { yamlPipeline: "<updated pipeline YAML string>" }Step 8: Provide Summary and Next Steps
步骤8:提供总结和后续步骤
Report the results to the user:
undefined向用户报告结果:
undefinedCode Scanner Configured
代码扫描器已配置
Pipeline: <pipeline_name>
Scanner: <scanner_type>
Location: Stage "<stage_name>", <position description>
Connector: <connector_name>
Pipeline URL: https://app.harness.io/ng/account/<account_id>/module/ci/orgs/<org_id>/projects/<project_id>/pipelines/<pipeline_id>/pipeline-studio/
Note: The scanner step has been configured with default settings. You can review and modify the configuration in the pipeline studio if you need to customize scan behavior, add exclusions, or adjust other parameters.
流水线: <pipeline_name>
扫描器: <scanner_type>
位置: 阶段"<stage_name>",<位置描述>
连接器: <connector_name>
流水线URL: https://app.harness.io/ng/account/<account_id>/module/ci/orgs/<org_id>/projects/<project_id>/pipelines/<pipeline_id>/pipeline-studio/
注意: 扫描器步骤已使用默认设置配置。如果需要自定义扫描行为、添加排除项或调整其他参数,您可以在流水线工作室中查看并修改配置。
Next Steps
后续步骤
- Run the pipeline to verify the scanner step executes successfully
- View scan results in the Security Tests tab of the execution
- Configure exemptions for false positives via skill
/security-report - Set up policies to fail pipelines on critical vulnerabilities via skill
/create-policy
undefined- 运行流水线以验证扫描器步骤执行成功
- 在执行的“安全测试”标签页中查看扫描结果
- 通过技能为误报配置豁免规则
/security-report - 通过技能设置策略,在出现严重漏洞时使流水线失败
/create-policy
undefinedExamples
示例
Add scanner to existing pipeline
为现有流水线添加扫描器
/configure-repo-scan
I want to add code scanning to my backend-api pipeline in the platform project/configure-repo-scan
I want to add code scanning to my backend-api pipeline in the platform projectConfigure SAST for Python project
为Python项目配置SAST
/configure-repo-scan
Set up SAST scanning for my Python service. Use Bandit and add it after the test step./configure-repo-scan
Set up SAST scanning for my Python service. Use Bandit and add it after the test step.Add Harness Code scan to CI pipeline
为CI流水线添加Harness Code扫描
/configure-repo-scan
Add Harness Code scanner to my CI pipeline. Scan after build but before pushing to registry./configure-repo-scan
Add Harness Code scanner to my CI pipeline. Scan after build but before pushing to registry.Performance Notes
性能注意事项
- Always verify the pipeline exists before attempting to modify it
- Automatically extract the repository connector from the pipeline configuration instead of asking the user
- Parse the complete pipeline structure to provide accurate insertion point recommendations
- Use native STO scanner steps (Harness Code, Bandit, Semgrep, etc.) instead of Run steps with scanner CLI commands
- Default to Harness Code scanner unless the user has specific scanner preferences
- Ensure the scanner step is added to a CI stage with so source code is available
cloneCodebase: true - This skill only works with existing pipelines; do not offer to create new pipelines
- 在尝试修改流水线之前,始终先验证流水线是否存在
- 自动从流水线配置中提取代码库连接器,而非询问用户
- 解析完整的流水线结构,以提供准确的插入点建议
- 使用STO原生扫描器步骤(Harness Code、Bandit、Semgrep等),而非带有扫描器CLI命令的Run步骤
- 除非用户有特定的扫描器偏好,否则默认使用Harness Code扫描器
- 确保扫描器步骤添加到设置了的CI阶段,以保证源代码可访问
cloneCodebase: true - 此技能仅适用于现有流水线;请勿提供创建新流水线的服务
Troubleshooting
故障排除
Pipeline Not Found
未找到流水线
- Verify org_id and project_id are correct
- Check RBAC permissions for pipeline access
- Confirm the pipeline exists with (resource_type: "pipeline")
harness_list - Inform the user that this skill only works with existing pipelines
- 验证org_id和project_id是否正确
- 检查流水线访问的RBAC权限
- 使用(resource_type: "pipeline")确认流水线存在
harness_list - 告知用户此技能仅适用于现有流水线
Connector Not Found in Pipeline
流水线中未找到连接器
- Verify the pipeline has a codebase configuration with a connector reference
- Check for v0 pipelines
pipeline.properties.ci.codebase.connectorRef - Inform the user that the pipeline must have a codebase connector configured for repo scanning
- 验证流水线是否配置了带有连接器引用的代码库
- 对于v0版本流水线,检查
pipeline.properties.ci.codebase.connectorRef - 告知用户流水线必须配置代码库连接器才能进行代码库扫描
Scanner Step Fails
扫描器步骤执行失败
- Verify is set on the CI stage
cloneCodebase: true - Check that the connector has proper authentication configured
- Ensure the scanner image is accessible (registry permissions)
- Review execution logs via for specific scanner errors
harness_diagnose
- 验证CI阶段是否设置了
cloneCodebase: true - 检查连接器是否配置了正确的身份验证
- 确保扫描器镜像可访问(注册表权限)
- 通过查看执行日志,获取扫描器的具体错误信息
harness_diagnose
Pipeline Update Validation Errors
流水线更新验证错误
- Verify YAML indentation is correct (use 2 spaces)
- Ensure step identifier follows pattern
^[a-zA-Z_][0-9a-zA-Z_]{0,127}$ - Check that the step is added to a valid stage with proper structure
spec.execution.steps - Confirm the scanner type is a valid Harness STO step type
- 验证YAML缩进是否正确(使用2个空格)
- 确保步骤标识符符合模式
^[a-zA-Z_][0-9a-zA-Z_]{0,127}$ - 检查步骤是否添加到有效的阶段,且结构正确
spec.execution.steps - 确认扫描器类型是有效的Harness STO步骤类型
No Security Results After Scan
扫描后未生成安全结果
- Verify STO module is enabled for the account
- Check scan output logs for errors or warnings
- Confirm scanner target configuration matches repository structure
- Ensure scanner has proper permissions to access dependencies
- 验证账户是否启用了STO模块
- 检查扫描输出日志中的错误或警告
- 确认扫描器目标配置与代码库结构匹配
- 确保扫描器具有访问依赖项的适当权限