{"id":"d4a4d573-e885-4ce5-9492-18b334189b5a","shortId":"VhRHRc","kind":"skill","title":"configure-repo-scan","tagline":">-","description":"# Configure Repo Scan\n\nAdd code scanning steps to existing Harness pipelines using STO security scanners.\n\n## Instructions\n\n### Step 1: Establish Scope and Pipeline Context\n\nAsk the user for the organization, project, and pipeline identifier if not already known. This skill only works with existing pipelines.\n\nOnce you have the identifiers, fetch the pipeline definition:\n\n```\nCall MCP tool: harness_get\nParameters:\n  resource_type: \"pipeline\"\n  resource_id: \"<pipeline_identifier>\"\n  org_id: \"<organization>\"\n  project_id: \"<project>\"\n```\n\n### Step 2: Extract Repository Connector from Pipeline\n\nParse the pipeline YAML from Step 1 to automatically identify the repository connector used in the pipeline.\n\nLook for the connector reference in the pipeline structure:\n- For v0 pipelines: Check `pipeline.properties.ci.codebase.connectorRef`\n- For v1 pipelines: Check the codebase connector in the pipeline configuration\n\nIf no connector is found in the pipeline, inform the user that the pipeline does not have a codebase configuration and cannot proceed with repo scanning.\n\n### Step 3: Analyze Pipeline Structure\n\nParse the pipeline YAML from Step 1 to identify:\n- All stages (CI, Deployment, Approval, Custom)\n- All steps within each stage\n- Existing security scanning steps (if any)\n\nPresent a structured view to the user showing:\n```\nPipeline: <name>\n\nStage 1: <stage_name> (type: <stage_type>)\n  - Step 1: <step_name> (type: <step_type>)\n  - Step 2: <step_name> (type: <step_type>)\n  ...\n\nStage 2: <stage_name> (type: <stage_type>)\n  - Step 1: <step_name> (type: <step_type>)\n  ...\n```\n\nAsk the user where they would like to insert the code scanner step:\n- \"Before which step?\" or \"After which step?\" or \"At the end of which stage?\"\n- Provide suggestions (e.g., \"I recommend adding it after the build step but before deployment\")\n\n### Step 4: Recommend Scanner Type\n\nPresent the available SAST scanners supported in Harness STO:\n\n**Available SAST Scanners:**\n- **Harness Code** (default - native Harness scanner)\n- Bandit (open-source, Python)\n- Black Duck (by Synopsys)\n- Brakeman (open-source, Ruby)\n- Checkmarx\n- Checkmarx One\n- Coverity (open-source)\n- CodeQL\n- FOSSA\n- GitHub Advanced Security\n- Mend (formerly WhiteSource)\n- Semgrep (open-source)\n- Snyk\n- SonarQube\n- Veracode\n- Wiz\n\n**Default recommendation:** Use **Harness Code** as the native Harness SAST scanner. It provides integrated security scanning with minimal configuration and seamless integration with Harness STO.\n\nAsk the user which scanner they prefer. If they don't specify, use Harness Code as the default.\n\n### Step 5: Generate Scanner Step Configuration\n\nBased on the scanner choice and connector from Step 2, generate the appropriate step YAML. The scanner step should be a native Harness STO step, not a Run step.\n\n**For Harness Code (default):**\n\n```yaml\n- step:\n    identifier: harness_code_scan\n    name: Harness Code Scan\n    type: HarnessSAST\n    spec:\n      mode: orchestration\n      config: sast_sca\n      target:\n        type: repository\n        detection: auto\n      advanced:\n        log:\n          level: info\n```\n\n**For Bandit (Python):**\n\n```yaml\n- step:\n    identifier: bandit_scan\n    name: Bandit SAST\n    type: Bandit\n    spec:\n      mode: orchestration\n      config: default\n      target:\n        type: repository\n        detection: auto\n      advanced:\n        log:\n          level: info\n```\n\n**For Semgrep:**\n\n```yaml\n- step:\n    identifier: semgrep_scan\n    name: Semgrep SAST\n    type: Semgrep\n    spec:\n      mode: orchestration\n      config: default\n      target:\n        type: repository\n        detection: auto\n      advanced:\n        log:\n          level: info\n```\n\n**For other scanners:** Reference `references/scanner-types.md` for scanner-specific configuration.\n\n### Step 6: Insert Step into Pipeline YAML\n\nInsert the generated scanner step YAML at the location chosen in Step 3. Ensure proper indentation and structure.\n\n**Key rules:**\n- Scanner steps should be added to CI stages (type: CI), not Deployment or Approval stages\n- Scanner steps should typically run after code checkout but before deployment\n- If the pipeline has a `cloneCodebase: true` setting, the scanner will have access to the source code\n- The scanner step should be added to the `execution.steps` array within the chosen stage\n\nCreate the updated pipeline YAML with the scanner step inserted.\n\n### Step 7: Update Pipeline via MCP\n\nUpdate the pipeline with the new scanner step:\n\n```\nCall MCP tool: harness_update\nParameters:\n  resource_type: \"pipeline\"\n  resource_id: \"<pipeline_identifier>\"\n  org_id: \"<organization>\"\n  project_id: \"<project>\"\n  body: { yamlPipeline: \"<updated pipeline YAML string>\" }\n```\n\n### Step 8: Provide Summary and Next Steps\n\nReport the results to the user:\n\n```\n## Code Scanner Configured\n\n**Pipeline:** <pipeline_name>\n**Scanner:** <scanner_type>\n**Location:** Stage \"<stage_name>\", <position description>\n**Connector:** <connector_name>\n\n**Pipeline URL:** https://app.harness.io/ng/account/<account_id>/module/ci/orgs/<org_id>/projects/<project_id>/pipelines/<pipeline_id>/pipeline-studio/\n\n**Note:** The scanner step has been configured with default settings. You can review and modify the configuration in the pipeline studio if you need to customize scan behavior, add exclusions, or adjust other parameters.\n\n### Next Steps\n1. Run the pipeline to verify the scanner step executes successfully\n2. View scan results in the Security Tests tab of the execution\n3. Configure exemptions for false positives via `/security-report` skill\n4. Set up policies to fail pipelines on critical vulnerabilities via `/create-policy` skill\n```\n\n## Examples\n\n### Add scanner to existing pipeline\n\n```\n/configure-repo-scan\nI want to add code scanning to my backend-api pipeline in the platform project\n```\n\n### Configure SAST for Python project\n\n```\n/configure-repo-scan\nSet up SAST scanning for my Python service. Use Bandit and add it after the test step.\n```\n\n### Add Harness Code scan to CI pipeline\n\n```\n/configure-repo-scan\nAdd Harness Code scanner to my CI pipeline. Scan after build but before pushing to registry.\n```\n\n## Performance Notes\n\n- Always verify the pipeline exists before attempting to modify it\n- Automatically extract the repository connector from the pipeline configuration instead of asking the user\n- Parse the complete pipeline structure to provide accurate insertion point recommendations\n- Use native STO scanner steps (Harness Code, Bandit, Semgrep, etc.) instead of Run steps with scanner CLI commands\n- Default to Harness Code scanner unless the user has specific scanner preferences\n- Ensure the scanner step is added to a CI stage with `cloneCodebase: true` so source code is available\n- This skill only works with existing pipelines; do not offer to create new pipelines\n\n## Troubleshooting\n\n### Pipeline Not Found\n- Verify org_id and project_id are correct\n- Check RBAC permissions for pipeline access\n- Confirm the pipeline exists with `harness_list` (resource_type: \"pipeline\")\n- Inform the user that this skill only works with existing pipelines\n\n### Connector Not Found in Pipeline\n- Verify the pipeline has a codebase configuration with a connector reference\n- Check `pipeline.properties.ci.codebase.connectorRef` for v0 pipelines\n- Inform the user that the pipeline must have a codebase connector configured for repo scanning\n\n### Scanner Step Fails\n- Verify `cloneCodebase: true` is set on the CI stage\n- Check that the connector has proper authentication configured\n- Ensure the scanner image is accessible (registry permissions)\n- Review execution logs via `harness_diagnose` for specific scanner errors\n\n### Pipeline Update Validation Errors\n- Verify YAML indentation is correct (use 2 spaces)\n- Ensure step identifier follows pattern `^[a-zA-Z_][0-9a-zA-Z_]{0,127}$`\n- Check that the step is added to a valid stage with proper `spec.execution.steps` structure\n- Confirm the scanner type is a valid Harness STO step type\n\n### No Security Results After Scan\n- Verify STO module is enabled for the account\n- Check scan output logs for errors or warnings\n- Confirm scanner target configuration matches repository structure\n- Ensure scanner has proper permissions to access dependencies","tags":["configure","repo","scan","harness","skills","agent-skills","agents"],"capabilities":["skill","source-harness","skill-configure-repo-scan","topic-agent-skills","topic-agents"],"categories":["harness-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/harness/harness-skills/configure-repo-scan","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add harness/harness-skills","source_repo":"https://github.com/harness/harness-skills","install_from":"skills.sh"}},"qualityScore":"0.457","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 15 github stars · SKILL.md body (8,233 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:06:28.772Z","embedding":null,"createdAt":"2026-05-13T07:06:11.852Z","updatedAt":"2026-05-18T19:06:28.772Z","lastSeenAt":"2026-05-18T19:06:28.772Z","tsv":"'-9':1016 '/configure-repo-scan':718,740,765 '/create-policy':710 '/module/ci/orgs':627 '/ng/account/':626 '/pipeline-studio':630 '/pipelines':629 '/projects':628 '/security-report':697 '0':1015,1021 '1':22,86,159,189,192,201,667 '127':1022 '2':74,195,198,362,678,1004 '3':149,495,690 '4':245,699 '5':348 '6':477 '7':571 '8':602 'a-za-z':1011,1017 'access':541,898,981,1082 'account':1060 'accur':815 'ad':235,507,551,854,1028 'add':8,659,713,722,752,758,766 'adjust':662 'advanc':291,409,436,462 'alreadi':40 'alway':784 'analyz':150 'api':729 'app.harness.io':625 'app.harness.io/ng/account/':624 'appropri':365 'approv':166,516 'array':555 'ask':28,203,329,805 'attempt':790 'authent':974 'auto':408,435,461 'automat':88,794 'avail':251,258,866 'backend':728 'backend-api':727 'bandit':267,414,419,422,425,750,826 'base':353 'behavior':658 'black':272 'bodi':599 'brakeman':276 'build':239,776 'call':58,584 'cannot':143 'check':109,114,893,936,968,1023,1061 'checkmarx':281,282 'checkout':525 'choic':357 'chosen':492,558 'ci':164,509,512,763,772,857,966 'cli':835 'clonecodebas':534,860,960 'code':9,213,262,308,343,384,390,394,524,545,614,723,760,768,825,840,864 'codebas':116,140,930,950 'codeql':288 'command':836 'complet':810 'config':401,429,455 'configur':2,5,121,141,322,352,475,616,637,647,691,735,802,931,952,975,1072 'configure-repo-scan':1 'confirm':899,1037,1069 'connector':77,92,100,117,124,359,621,798,920,934,951,971 'context':27 'correct':892,1002 'cover':284 'creat':560,878 'critic':707 'custom':167,656 'default':263,304,346,385,430,456,639,837 'definit':57 'depend':1083 'deploy':165,243,514,528 'detect':407,434,460 'diagnos':989 'duck':273 'e.g':232 'enabl':1057 'end':226 'ensur':496,849,976,1006,1076 'error':993,997,1066 'establish':23 'etc':828 'exampl':712 'exclus':660 'execut':676,689,985 'execution.steps':554 'exempt':692 'exist':13,47,173,716,788,872,902,918 'extract':75,795 'fail':704,958 'fals':694 'fetch':54 'follow':1009 'former':294 'fossa':289 'found':126,884,922 'generat':349,363,485 'get':62 'github':290 'har':14,61,256,261,265,307,312,327,342,375,383,389,393,587,759,767,824,839,904,988,1044 'harnesssast':397 'id':68,70,72,594,596,598,887,890 'identifi':37,53,89,161,388,418,444,1008 'imag':979 'indent':498,1000 'info':412,439,465 'inform':130,909,941 'insert':211,478,483,569,816 'instead':803,829 'instruct':20 'integr':317,325 'key':501 'known':41 'level':411,438,464 'like':209 'list':905 'locat':491,619 'log':410,437,463,986,1064 'look':97 'match':1073 'mcp':59,575,585 'mend':293 'minim':321 'mode':399,427,453 'modifi':645,792 'modul':1055 'must':947 'name':392,421,447 'nativ':264,311,374,820 'need':654 'new':581,879 'next':606,665 'note':631,783 'offer':876 'one':283 'open':269,278,286,298 'open-sourc':268,277,285,297 'orchestr':400,428,454 'org':69,595,886 'organ':33 'output':1063 'paramet':63,589,664 'pars':80,153,808 'pattern':1010 'perform':782 'permiss':895,983,1080 'pipelin':15,26,36,48,56,66,79,82,96,104,108,113,120,129,135,151,155,187,481,531,563,573,578,592,617,622,650,670,705,717,730,764,773,787,801,811,873,880,882,897,901,908,919,924,927,940,946,994 'pipeline.properties.ci.codebase.connectorref':110,937 'platform':733 'point':817 'polici':702 'posit':695 'prefer':335,848 'present':179,249 'proceed':144 'project':34,71,597,734,739,889 'proper':497,973,1034,1079 'provid':230,316,603,814 'push':779 'python':271,415,738,747 'rbac':894 'recommend':234,246,305,818 'refer':101,469,935 'references/scanner-types.md':470 'registri':781,982 'repo':3,6,146,954 'report':608 'repositori':76,91,406,433,459,797,1074 'resourc':64,67,590,593,906 'result':610,681,1050 'review':643,984 'rubi':280 'rule':502 'run':380,522,668,831 'sast':252,259,313,402,423,449,736,743 'sca':403 'scan':4,7,10,147,175,319,391,395,420,446,657,680,724,744,761,774,955,1052,1062 'scanner':19,214,247,253,260,266,314,333,350,356,369,468,473,486,503,518,538,547,567,582,615,618,633,674,714,769,822,834,841,847,851,956,978,992,1039,1070,1077 'scanner-specif':472 'scope':24 'seamless':324 'secur':18,174,292,318,684,1049 'semgrep':296,441,445,448,451,827 'servic':748 'set':536,640,700,741,963 'show':186 'skill':43,698,711,868,914 'skill-configure-repo-scan' 'snyk':300 'sonarqub':301 'sourc':270,279,287,299,544,863 'source-harness' 'space':1005 'spec':398,426,452 'spec.execution.steps':1035 'specif':474,846,991 'specifi':340 'stage':163,172,188,197,229,510,517,559,620,858,967,1032 'step':11,21,73,85,148,158,169,176,191,194,200,215,218,222,240,244,347,351,361,366,370,377,381,387,417,443,476,479,487,494,504,519,548,568,570,583,601,607,634,666,675,757,823,832,852,957,1007,1026,1046 'sto':17,257,328,376,821,1045,1054 'structur':105,152,181,500,812,1036,1075 'studio':651 'success':677 'suggest':231 'summari':604 'support':254 'synopsi':275 'tab':686 'target':404,431,457,1071 'test':685,756 'tool':60,586 'topic-agent-skills' 'topic-agents' 'troubleshoot':881 'true':535,861,961 'type':65,190,193,196,199,202,248,396,405,424,432,450,458,511,591,907,1040,1047 'typic':521 'unless':842 'updat':562,572,576,588,995 'url':623 'use':16,93,306,341,749,819,1003 'user':30,132,185,205,331,613,807,844,911,943 'v0':107,939 'v1':112 'valid':996,1031,1043 'veracod':302 'verifi':672,785,885,925,959,998,1053 'via':574,696,709,987 'view':182,679 'vulner':708 'want':720 'warn':1068 'whitesourc':295 'within':170,556 'wiz':303 'work':45,870,916 'would':208 'yaml':83,156,367,386,416,442,482,488,564,999 'yamlpipelin':600 'z':1014,1020 'za':1013,1019","prices":[{"id":"3e6ecbf6-c821-4e7a-8f41-7d6219867918","listingId":"d4a4d573-e885-4ce5-9492-18b334189b5a","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"harness","category":"harness-skills","install_from":"skills.sh"},"createdAt":"2026-05-13T07:06:11.852Z"}],"sources":[{"listingId":"d4a4d573-e885-4ce5-9492-18b334189b5a","source":"github","sourceId":"harness/harness-skills/configure-repo-scan","sourceUrl":"https://github.com/harness/harness-skills/tree/main/skills/configure-repo-scan","isPrimary":false,"firstSeenAt":"2026-05-13T07:06:11.852Z","lastSeenAt":"2026-05-18T19:06:28.772Z"}],"details":{"listingId":"d4a4d573-e885-4ce5-9492-18b334189b5a","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"harness","slug":"configure-repo-scan","github":{"repo":"harness/harness-skills","stars":15,"topics":["agent-skills","agents"],"license":"apache-2.0","html_url":"https://github.com/harness/harness-skills","pushed_at":"2026-05-13T01:28:28Z","description":"A collection of structured AI agent skills that   enable Claude Code, Cursor, GitHub Copilot, and   other AI coding assistants to create, operate,   debug, and govern Harness CI/CD workflows through   natural language.","skill_md_sha":"a1c6aafab5155ee0dcde24dcbdfeb98a907dc2dd","skill_md_path":"skills/configure-repo-scan/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/harness/harness-skills/tree/main/skills/configure-repo-scan"},"layout":"multi","source":"github","category":"harness-skills","frontmatter":{"name":"configure-repo-scan","license":"Apache-2.0","description":">-","compatibility":"Requires Harness MCP v2 server (harness-mcp-v2)"},"skills_sh_url":"https://skills.sh/harness/harness-skills/configure-repo-scan"},"updatedAt":"2026-05-18T19:06:28.772Z"}}