Configure Repo Scan

Add code scanning steps to existing Harness pipelines using STO security scanners.

Instructions

Step 1: Establish Scope and Pipeline Context

Ask the user for the organization, project, and pipeline identifier if not already known. This skill only works with existing pipelines.

Once you have the identifiers, fetch the pipeline definition:

Call MCP tool: harness_get
Parameters:
  resource_type: "pipeline"
  resource_id: "<pipeline_identifier>"
  org_id: "<organization>"
  project_id: "<project>"

Step 2: Extract Repository Connector from Pipeline

Parse the pipeline YAML from Step 1 to automatically identify the repository connector used in the pipeline.

Look for the connector reference in the pipeline structure:

• For v0 pipelines: Check pipeline.properties.ci.codebase.connectorRef
• For v1 pipelines: Check the codebase connector in the pipeline configuration

If no connector is found in the pipeline, inform the user that the pipeline does not have a codebase configuration and cannot proceed with repo scanning.

Step 3: Analyze Pipeline Structure

Parse the pipeline YAML from Step 1 to identify:

• All stages (CI, Deployment, Approval, Custom)
• All steps within each stage
• Existing security scanning steps (if any)

Present a structured view to the user showing:

Pipeline: <name>

Stage 1: <stage_name> (type: <stage_type>)
  - Step 1: <step_name> (type: <step_type>)
  - Step 2: <step_name> (type: <step_type>)
  ...

Stage 2: <stage_name> (type: <stage_type>)
  - Step 1: <step_name> (type: <step_type>)
  ...

Ask the user where they would like to insert the code scanner step:

• “Before which step?” or “After which step?” or “At the end of which stage?”
• Provide suggestions (e.g., “I recommend adding it after the build step but before deployment”)

Step 4: Recommend Scanner Type

Present the available SAST scanners supported in Harness STO:

Available SAST Scanners:

• Harness Code (default - native Harness scanner)
• Bandit (open-source, Python)
• Black Duck (by Synopsys)
• Brakeman (open-source, Ruby)
• Checkmarx
• Checkmarx One
• Coverity (open-source)
• CodeQL
• FOSSA
• GitHub Advanced Security
• Mend (formerly WhiteSource)
• Semgrep (open-source)
• Snyk
• SonarQube
• Veracode
• Wiz

Default recommendation: Use Harness Code as the native Harness SAST scanner. It provides integrated security scanning with minimal configuration and seamless integration with Harness STO.

Ask the user which scanner they prefer. If they don’t specify, use Harness Code as the default.

Step 5: Generate Scanner Step Configuration

Based on the scanner choice and connector from Step 2, generate the appropriate step YAML. The scanner step should be a native Harness STO step, not a Run step.

For Harness Code (default):

- step:
    identifier: harness_code_scan
    name: Harness Code Scan
    type: HarnessSAST
    spec:
      mode: orchestration
      config: sast_sca
      target:
        type: repository
        detection: auto
      advanced:
        log:
          level: info

For Bandit (Python):

- step:
    identifier: bandit_scan
    name: Bandit SAST
    type: Bandit
    spec:
      mode: orchestration
      config: default
      target:
        type: repository
        detection: auto
      advanced:
        log:
          level: info

For Semgrep:

- step:
    identifier: semgrep_scan
    name: Semgrep SAST
    type: Semgrep
    spec:
      mode: orchestration
      config: default
      target:
        type: repository
        detection: auto
      advanced:
        log:
          level: info

For other scanners: Reference references/scanner-types.md for scanner-specific configuration.

Step 6: Insert Step into Pipeline YAML

Insert the generated scanner step YAML at the location chosen in Step 3. Ensure proper indentation and structure.

Key rules:

• Scanner steps should be added to CI stages (type: CI), not Deployment or Approval stages
• Scanner steps should typically run after code checkout but before deployment
• If the pipeline has a cloneCodebase: true setting, the scanner will have access to the source code
• The scanner step should be added to the execution.steps array within the chosen stage

Create the updated pipeline YAML with the scanner step inserted.

Step 7: Update Pipeline via MCP

Update the pipeline with the new scanner step:

Call MCP tool: harness_update
Parameters:
  resource_type: "pipeline"
  resource_id: "<pipeline_identifier>"
  org_id: "<organization>"
  project_id: "<project>"
  body: { yamlPipeline: "<updated pipeline YAML string>" }

Step 8: Provide Summary and Next Steps

Report the results to the user:

## Code Scanner Configured

**Pipeline:** <pipeline_name>
**Scanner:** <scanner_type>
**Location:** Stage "<stage_name>", <position description>
**Connector:** <connector_name>

**Pipeline URL:** https://app.harness.io/ng/account/<account_id>/module/ci/orgs/<org_id>/projects/<project_id>/pipelines/<pipeline_id>/pipeline-studio/

**Note:** The scanner step has been configured with default settings. You can review and modify the configuration in the pipeline studio if you need to customize scan behavior, add exclusions, or adjust other parameters.

### Next Steps
1. Run the pipeline to verify the scanner step executes successfully
2. View scan results in the Security Tests tab of the execution
3. Configure exemptions for false positives via `/security-report` skill
4. Set up policies to fail pipelines on critical vulnerabilities via `/create-policy` skill

Examples

Add scanner to existing pipeline

/configure-repo-scan
I want to add code scanning to my backend-api pipeline in the platform project

Configure SAST for Python project

/configure-repo-scan
Set up SAST scanning for my Python service. Use Bandit and add it after the test step.

Add Harness Code scan to CI pipeline

/configure-repo-scan
Add Harness Code scanner to my CI pipeline. Scan after build but before pushing to registry.

Performance Notes

• Always verify the pipeline exists before attempting to modify it
• Automatically extract the repository connector from the pipeline configuration instead of asking the user
• Parse the complete pipeline structure to provide accurate insertion point recommendations
• Use native STO scanner steps (Harness Code, Bandit, Semgrep, etc.) instead of Run steps with scanner CLI commands
• Default to Harness Code scanner unless the user has specific scanner preferences
• Ensure the scanner step is added to a CI stage with cloneCodebase: true so source code is available
• This skill only works with existing pipelines; do not offer to create new pipelines

Troubleshooting

Pipeline Not Found

• Verify org_id and project_id are correct
• Check RBAC permissions for pipeline access
• Confirm the pipeline exists with harness_list (resource_type: “pipeline”)
• Inform the user that this skill only works with existing pipelines

Connector Not Found in Pipeline

• Verify the pipeline has a codebase configuration with a connector reference
• Check pipeline.properties.ci.codebase.connectorRef for v0 pipelines
• Inform the user that the pipeline must have a codebase connector configured for repo scanning

Scanner Step Fails

• Verify cloneCodebase: true is set on the CI stage
• Check that the connector has proper authentication configured
• Ensure the scanner image is accessible (registry permissions)
• Review execution logs via harness_diagnose for specific scanner errors

Pipeline Update Validation Errors

• Verify YAML indentation is correct (use 2 spaces)
• Ensure step identifier follows pattern ^[a-zA-Z_][0-9a-zA-Z_]{0,127}$
• Check that the step is added to a valid stage with proper spec.execution.steps structure
• Confirm the scanner type is a valid Harness STO step type

No Security Results After Scan

• Verify STO module is enabled for the account
• Check scan output logs for errors or warnings
• Confirm scanner target configuration matches repository structure
• Ensure scanner has proper permissions to access dependencies