{"id":"922880bf-e6c9-41c9-be82-39287bcc6b7a","shortId":"ggBTH6","kind":"skill","title":"security-report","tagline":"Generate security compliance reports using Harness SCS and STO via MCP. Analyze vulnerabilities, SBOMs, and manage exemptions. Use when user says \"security report\", \"vulnerabilities\", \"SBOM\", \"security scan\", \"compliance check\", or asks about application security.","description":"# Security Report\n\nGenerate security compliance reports using Harness Software Supply Chain (SCS) and Security Testing Orchestration (STO) via MCP.\n\n## Instructions\n\n### Step 1: List Vulnerabilities\n\n```\nCall MCP tool: harness_list\nParameters:\n  resource_type: \"security_issue\"\n  org_id: \"<organization>\"\n  project_id: \"<project>\"\n```\n\n### Step 2: Get Vulnerability Details\n\n```\nCall MCP tool: harness_get\nParameters:\n  resource_type: \"security_issue\"\n  resource_id: \"<issue_id>\"\n```\n\n### Step 3: List SBOMs\n\n```\nCall MCP tool: harness_list\nParameters:\n  resource_type: \"scs_sbom\"\n  org_id: \"<organization>\"\n  project_id: \"<project>\"\n```\n\n### Step 4: Get SBOM Details\n\n```\nCall MCP tool: harness_get\nParameters:\n  resource_type: \"scs_sbom\"\n  resource_id: \"<sbom_id>\"\n```\n\n### Step 5: Check Artifact Components\n\n```\nCall MCP tool: harness_list\nParameters:\n  resource_type: \"scs_artifact_component\"\n  org_id: \"<organization>\"\n  project_id: \"<project>\"\n```\n\n### Step 6: Get Remediation Guidance\n\n```\nCall MCP tool: harness_list\nParameters:\n  resource_type: \"scs_artifact_remediation\"\n  org_id: \"<organization>\"\n  project_id: \"<project>\"\n```\n\n### Step 7: Check Compliance\n\n```\nCall MCP tool: harness_list\nParameters:\n  resource_type: \"scs_compliance_result\"\n  org_id: \"<organization>\"\n  project_id: \"<project>\"\n```\n\n### Step 8: Manage Exemptions\n\nList existing exemptions:\n```\nCall MCP tool: harness_list\nParameters:\n  resource_type: \"security_exemption\"\n  org_id: \"<organization>\"\n  project_id: \"<project>\"\n```\n\nCreate an exemption:\n```\nCall MCP tool: harness_create\nParameters:\n  resource_type: \"security_exemption\"\n  org_id: \"<organization>\"\n  project_id: \"<project>\"\n  body: <exemption details>\n```\n\nApprove or revoke an exemption:\n```\nCall MCP tool: harness_execute\nParameters:\n  resource_type: \"security_exemption\"\n  action: \"approve\"    # or \"revoke\"\n  resource_id: \"<exemption_id>\"\n```\n\n## Report Format\n\n```\n## Security Compliance Report\n\n**Date:** <date>\n**Scope:** <project/artifact>\n\n### Vulnerability Summary\n| Severity | Count | New | Fixed |\n|----------|-------|-----|-------|\n| Critical | X     | X   | X     |\n| High     | X     | X   | X     |\n| Medium   | X     | X   | X     |\n| Low      | X     | X   | X     |\n\n### Top Critical Vulnerabilities\n1. **CVE-XXXX-XXXXX** - <description> (Package: <name>)\n   - Remediation: Upgrade to version X.Y.Z\n\n### SBOM Status\n- Artifacts with SBOMs: X/Y\n- Compliance checks passing: X/Y\n\n### Active Exemptions\n- X exemptions active, Y pending review\n\n### Recommendations\n1. <prioritized fix action>\n2. <next fix action>\n```\n\n## Security Resource Types\n\n| Resource Type | Operations | Description |\n|--------------|-----------|-------------|\n| `security_issue` | list, get | Vulnerabilities from scans |\n| `security_exemption` | list, get, create, update | Exemption management |\n| `scs_sbom` | list, get | Software Bill of Materials |\n| `scs_artifact_component` | list | Components in artifacts |\n| `scs_artifact_remediation` | list | Fix recommendations |\n| `scs_compliance_result` | list | Policy compliance results |\n| `scs_opa_policy` | list | OPA policy status |\n\n## Examples\n\n- \"Generate security report for backend-service\" - List security_issue filtered by service\n- \"Show critical vulnerabilities\" - List security_issue, filter by severity\n- \"Download SBOM for api-service:v2.3\" - Get scs_sbom by artifact\n- \"Create exemption for CVE-2024-1234\" - Create security_exemption\n\n## Performance Notes\n\n- Gather the complete vulnerability list before summarizing. Do not report on partial scan results.\n- Cross-reference vulnerabilities with SBOM data for accurate component attribution.\n- Quality and accuracy of the security report is more important than speed.\n\n## Troubleshooting\n\n### No Vulnerabilities Shown\n- Verify STO scans are configured in pipelines\n- Check scan tool connectors (Snyk, Aqua, etc.)\n- Ensure scan results are being ingested\n\n### SBOM Not Available\n- Verify SBOM generation is enabled in CI pipeline\n- Check artifact registry configuration","tags":["security","report","harness","skills","agent-skills","agents"],"capabilities":["skill","source-harness","skill-security-report","topic-agent-skills","topic-agents"],"categories":["harness-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/harness/harness-skills/security-report","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add harness/harness-skills","source_repo":"https://github.com/harness/harness-skills","install_from":"skills.sh"}},"qualityScore":"0.457","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 15 github stars · SKILL.md body (4,018 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:06:31.288Z","embedding":null,"createdAt":"2026-05-09T01:05:29.916Z","updatedAt":"2026-05-18T19:06:31.288Z","lastSeenAt":"2026-05-18T19:06:31.288Z","tsv":"'-1234':409 '-2024':408 '1':59,280,310 '2':77,311 '3':94 '4':112 '5':129 '6':149 '7':169 '8':188 'accur':437 'accuraci':442 'action':241 'activ':301,305 'analyz':15 'api':396 'api-servic':395 'applic':36 'approv':226,242 'aqua':468 'artifact':131,142,162,293,343,348,350,403,488 'ask':34 'attribut':439 'avail':478 'backend':375 'backend-servic':374 'bill':339 'bodi':225 'call':62,81,97,116,133,153,172,194,211,231 'chain':48 'check':32,130,170,298,463,487 'ci':485 'complet':417 'complianc':6,31,42,171,181,250,297,356,360 'compon':132,143,344,346,438 'configur':460,490 'connector':466 'count':258 'creat':208,215,330,404,410 'critic':261,278,384 'cross':430 'cross-refer':429 'cve':282,407 'cve-xxxx-xxxxx':281 'data':435 'date':252 'descript':318 'detail':80,115 'download':392 'enabl':483 'ensur':470 'etc':469 'exampl':369 'execut':235 'exempt':20,190,193,203,210,220,230,240,302,304,327,332,405,412 'exist':192 'filter':380,389 'fix':260,353 'format':248 'gather':415 'generat':4,40,370,481 'get':78,85,113,120,150,322,329,337,399 'guidanc':152 'har':9,45,65,84,100,119,136,156,175,197,214,234 'high':265 'id':73,75,92,108,110,127,145,147,165,167,184,186,205,207,222,224,246 'import':449 'ingest':475 'instruct':57 'issu':71,90,320,379,388 'list':60,66,95,101,137,157,176,191,198,321,328,336,345,352,358,365,377,386,419 'low':273 'manag':19,189,333 'materi':341 'mcp':14,56,63,82,98,117,134,154,173,195,212,232 'medium':269 'new':259 'note':414 'opa':363,366 'oper':317 'orchestr':53 'org':72,107,144,164,183,204,221 'packag':285 'paramet':67,86,102,121,138,158,177,199,216,236 'partial':426 'pass':299 'pend':307 'perform':413 'pipelin':462,486 'polici':359,364,367 'project':74,109,146,166,185,206,223 'project/artifact':254 'qualiti':440 'recommend':309,354 'refer':431 'registri':489 'remedi':151,163,286,351 'report':3,7,26,39,43,247,251,372,424,446 'resourc':68,87,91,103,122,126,139,159,178,200,217,237,245,313,315 'result':182,357,361,428,472 'review':308 'revok':228,244 'say':24 'sbom':17,28,96,106,114,125,291,295,335,393,401,434,476,480 'scan':30,325,427,458,464,471 'scope':253 'scs':10,49,105,124,141,161,180,334,342,349,355,362,400 'secur':2,5,25,29,37,38,41,51,70,89,202,219,239,249,312,319,326,371,378,387,411,445 'security-report':1 'servic':376,382,397 'sever':257,391 'show':383 'shown':455 'skill' 'skill-security-report' 'snyk':467 'softwar':46,338 'source-harness' 'speed':451 'status':292,368 'step':58,76,93,111,128,148,168,187 'sto':12,54,457 'summar':421 'summari':256 'suppli':47 'test':52 'tool':64,83,99,118,135,155,174,196,213,233,465 'top':277 'topic-agent-skills' 'topic-agents' 'troubleshoot':452 'type':69,88,104,123,140,160,179,201,218,238,314,316 'updat':331 'upgrad':287 'use':8,21,44 'user':23 'v2.3':398 'verifi':456,479 'version':289 'via':13,55 'vulner':16,27,61,79,255,279,323,385,418,432,454 'x':262,263,264,266,267,268,270,271,272,274,275,276,303 'x.y.z':290 'x/y':296,300 'xxxx':283 'xxxxx':284 'y':306","prices":[{"id":"2254f547-abf6-417a-9630-4f05e92c8581","listingId":"922880bf-e6c9-41c9-be82-39287bcc6b7a","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"harness","category":"harness-skills","install_from":"skills.sh"},"createdAt":"2026-05-09T01:05:29.916Z"}],"sources":[{"listingId":"922880bf-e6c9-41c9-be82-39287bcc6b7a","source":"github","sourceId":"harness/harness-skills/security-report","sourceUrl":"https://github.com/harness/harness-skills/tree/main/skills/security-report","isPrimary":false,"firstSeenAt":"2026-05-09T01:05:29.916Z","lastSeenAt":"2026-05-18T19:06:31.288Z"}],"details":{"listingId":"922880bf-e6c9-41c9-be82-39287bcc6b7a","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"harness","slug":"security-report","github":{"repo":"harness/harness-skills","stars":15,"topics":["agent-skills","agents"],"license":"apache-2.0","html_url":"https://github.com/harness/harness-skills","pushed_at":"2026-05-13T01:28:28Z","description":"A collection of structured AI agent skills that   enable Claude Code, Cursor, GitHub Copilot, and   other AI coding assistants to create, operate,   debug, and govern Harness CI/CD workflows through   natural language.","skill_md_sha":"58f0c9631dc0a2c3f3b1841e7d22cce8d792ee88","skill_md_path":"skills/security-report/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/harness/harness-skills/tree/main/skills/security-report"},"layout":"multi","source":"github","category":"harness-skills","frontmatter":{"name":"security-report","license":"Apache-2.0","description":"Generate security compliance reports using Harness SCS and STO via MCP. Analyze vulnerabilities, SBOMs, and manage exemptions. Use when user says \"security report\", \"vulnerabilities\", \"SBOM\", \"security scan\", \"compliance check\", or asks about application security.","compatibility":"Requires Harness MCP v2 server (harness-mcp-v2)"},"skills_sh_url":"https://skills.sh/harness/harness-skills/security-report"},"updatedAt":"2026-05-18T19:06:31.288Z"}}