harness · priteshchandaliya · Sep 10, 2025 · Aug 26, 2025 · Aug 27, 2025 · Sep 9, 2025
@@ -6,9 +6,10 @@
 6. **[Coverity](/docs/security-testing-orchestration/sto-techref-category/coverity-scanner-reference)**  - *open-source*
 7. **[CodeQL](/docs/security-testing-orchestration/sto-techref-category/codeql-scanner-reference)**  
 8. **[FOSSA](/docs/security-testing-orchestration/sto-techref-category/fossa-scanner-reference)**  
-9. **[Mend](/docs/security-testing-orchestration/sto-techref-category/mend-scanner-reference)** (formerly known as WhiteSource)  
-10. **[Semgrep](/docs/security-testing-orchestration/sto-techref-category/semgrep/semgrep-scanner-reference)**  - *open-source option*
-11. **[Snyk](/docs/security-testing-orchestration/sto-techref-category/snyk/snyk-scanner-reference)**  
-12. **[SonarQube](/docs/security-testing-orchestration/sto-techref-category/sonarqube-sonar-scanner-reference)**
-13. **[Veracode](/docs/security-testing-orchestration/sto-techref-category/veracode-scanner-reference)**
-14. **[Wiz](/docs/security-testing-orchestration/sto-techref-category/wiz/repo-scans-with-wiz)**
+9. **[GitHub Advanced Security](/docs/security-testing-orchestration/sto-techref-category/github-advanced-security)**
+10. **[Mend](/docs/security-testing-orchestration/sto-techref-category/mend-scanner-reference)** (formerly known as WhiteSource)  
+11. **[Semgrep](/docs/security-testing-orchestration/sto-techref-category/semgrep/semgrep-scanner-reference)**  - *open-source option*
+12. **[Snyk](/docs/security-testing-orchestration/sto-techref-category/snyk/snyk-scanner-reference)**  
+13. **[SonarQube](/docs/security-testing-orchestration/sto-techref-category/sonarqube-sonar-scanner-reference)**
+14. **[Veracode](/docs/security-testing-orchestration/sto-techref-category/veracode-scanner-reference)**
+15. **[Wiz](/docs/security-testing-orchestration/sto-techref-category/wiz/repo-scans-with-wiz)**
@@ -1,8 +1,9 @@
 1. **[Aqua Trivy](/docs/security-testing-orchestration/sto-techref-category/trivy/aqua-trivy-scanner-reference)** - *open-source*
 2. **[Checkmarx](/docs/security-testing-orchestration/sto-techref-category/checkmarx/checkmarx-scanner-reference)**
 3. **[Checkmarx One](/docs/security-testing-orchestration/sto-techref-category/checkmarx/checkmarxone-scanner-reference)**
-4. **[OSV Scanner](/docs/security-testing-orchestration/sto-techref-category/osv-scanner-reference)**  - *open-source*
-5. **[OWASP Dependency-Check](/docs/security-testing-orchestration/sto-techref-category/owasp-scanner-reference)** - *open-source*
-6. **[Snyk](/docs/security-testing-orchestration/sto-techref-category/snyk/snyk-code-scanning)**
-7. **[Veracode](/docs/security-testing-orchestration/sto-techref-category/veracode-scanner-reference)**
-8. **[Wiz](/docs/security-testing-orchestration/sto-techref-category/wiz/repo-scans-with-wiz)**  
+4. **[GitHub Advanced Security](/docs/security-testing-orchestration/sto-techref-category/github-advanced-security)**
+5. **[OSV Scanner](/docs/security-testing-orchestration/sto-techref-category/osv-scanner-reference)**  - *open-source*
+6. **[OWASP Dependency-Check](/docs/security-testing-orchestration/sto-techref-category/owasp-scanner-reference)** - *open-source*
+7. **[Snyk](/docs/security-testing-orchestration/sto-techref-category/snyk/snyk-code-scanning)**
+8. **[Veracode](/docs/security-testing-orchestration/sto-techref-category/veracode-scanner-reference)**
+9. **[Wiz](/docs/security-testing-orchestration/sto-techref-category/wiz/repo-scans-with-wiz)**  
@@ -1,3 +1,4 @@
 1. **[Aqua Trivy](/docs/security-testing-orchestration/sto-techref-category/trivy/aqua-trivy-scanner-reference)** - *open-source*
 2. **[Checkmarx One](/docs/security-testing-orchestration/sto-techref-category/checkmarx/checkmarxone-scanner-reference)**
-3. **[Gitleaks](/docs/security-testing-orchestration/sto-techref-category/gitleaks-scanner-reference)** - *open-source*
+3. **[Gitleaks](/docs/security-testing-orchestration/sto-techref-category/gitleaks-scanner-reference)** - *open-source*
+4. **[GitHub Advanced Security](/docs/security-testing-orchestration/sto-techref-category/github-advanced-security)**
@@ -0,0 +1,149 @@
+---
+title: GitHub Advanced Security step configuration
+description: Scan code repositories with GitHub Advanced Security (GHAS).
+sidebar_label: GitHub Advanced Security step configuration
+sidebar_position: 201
+---
+
+<DocsTag text="Code repo scanners" backgroundColor="#cbe2f9" textColor="#0b5cad" link="/docs/security-testing-orchestration/whats-supported/scanners?view-by=target-type#code-repo-scanners" />
+<DocsTag text="Orchestration" backgroundColor="#e3cbf9" textColor="#5c0bad" link="/docs/security-testing-orchestration/get-started/key-concepts/run-an-orchestrated-scan-in-sto" />
+<DocsTag text="Extraction" backgroundColor="#e3cbf9" textColor="#5c0bad" link="/docs/security-testing-orchestration/get-started/key-concepts/extraction-scans" />
+<DocsTag text="Ingestion" backgroundColor="#e3cbf9" textColor="#5c0bad" link="/docs/security-testing-orchestration/get-started/key-concepts/ingest-scan-results-into-an-sto-pipeline" />
+<br/>
+<br/>
+
+The GitHub Advanced Security (GHAS) step in Harness STO enables you to scan your code repositories from the following GHAS products:
+
+- **[CodeQL](#codeql) (SAST):** Identify code vulnerabilities. Supported in [**Orchestration**](#scan-mode), [**Extraction**](#scan-mode), and [**Ingestion**](#scan-mode).
+- **[Dependabot](#dependabot) (SCA):** Detect vulnerable open-source dependencies. Supported in [**Orchestration**](#scan-mode), [**Extraction**](#scan-mode), and [**Ingestion**](#scan-mode).
+- **[Secret Scanning](#secret-scanning):** Detect exposed secrets such as API keys and tokens. Supported in [**Extraction**](#scan-mode) and [**Ingestion**](#scan-mode).
+
+:::info
+- To run scans as a non-root user, you can use custom STO scan images and pipelines. See [Configure your pipeline to use STO images from private registry](/docs/security-testing-orchestration/use-sto/set-up-sto-pipelines/configure-pipeline-to-use-sto-images-from-private-registry).
+- STO supports multiple workflows for loading self-signed certificates. See [Run STO scans with custom SSL certificates](/docs/security-testing-orchestration/use-sto/secure-sto-pipelines/ssl-setup-in-sto/#supported-workflows-for-adding-custom-ssl-certificates).
+:::
+
+## GitHub Advanced Security step settings
+
+The recommended workflow is to add a GitHub Advanced Security step to a **Security** or **Build** stage and configure it as described below.
+
+### Scan
+
+#### Scan Mode
+
+- **Orchestration**: Executes the scan, normalizes, and deduplicates results. Supported for **CodeQL** and **Dependabot**.  
+  :::note
+  - To comply with [GitHub’s licensing requirements](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security#about-github-advanced-security-products), orchestration scans are uploaded to GitHub and then imported into STO.  
+  - **Orchestration** mode currently supports *Python (pip)* and *JavaScript/TypeScript (npm or yarn)*. **Extraction** mode supports all languages available in GHAS.
+  :::
+
+- **Extraction**: Pulls existing results from GitHub APIs (**CodeQL**, **Dependabot**, **Secret Scanning**).  
+- **Ingestion**: Ingests SARIF files from previously run GHAS scans.
+
+#### Scan Configuration
+
+import StoSettingProductConfigName from './shared/step-palette/scan/config-name.md';
+
+<StoSettingProductConfigName />
+
+The GitHub Advanced Security step supports the following configurations:
+- **[CodeQL](#codeql)**
+- **[Dependabot](#dependabot)**
+- **[Secret Scanning](#secret-scanning)**
+
+### CodeQL
+You can use **CodeQL** to perform Static Application Security Testing (SAST). For details about CodeQL itself, see the [CodeQL documentation](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql).  
+
+Here are a few important points to note when using CodeQL with **Orchestration mode**:  
+- The repository must be configured with **Advanced setup** for **CodeQL analysis**. To do this, go to your repository settings, click on **Advanced Security**, then go to **Code scanning** section and select **Advanced setup** for **CodeQL analysis**. If you're using default setup, you must switch to Advanced setup before running scans with Orchestration scan mode.  
+
+For **Extraction mode**, CodeQL works with both **Default** and **Advanced setup**.  
+
+---
+
+### Dependabot
+You can use **Dependabot** for dependency (SCA) scans. For more information, see the [Dependabot documentation](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts). 
+
+Prerequisites for Dependabot scans:  
+- **Dependabot alerts** must be enabled. To check this, go to your repository settings, select **Advanced Security**, then click on **Enable** for **Dependabot alerts**.  
+- **Dependabot** with **Orchestration mode** requires a **Docker-in-Docker (DinD)** background step. When you configure this step, set the **Entrypoint** to `dockerd-entrypoint.sh` instead of `dockerd`. For setup instructions, go to [Configure Docker-in-Docker (DinD) for your pipeline](/docs/security-testing-orchestration/sto-techref-category/security-step-settings-reference#configuring-docker-in-docker-dind-for-your-pipeline).
+
+---
+
+### Secret Scanning
+You can use **Secret Scanning** to detect exposed secrets such as API keys, tokens, or other sensitive values in your repositories. For more details about this feature, see the [Secret Scanning documentation](https://docs.github.com/en/code-security/securing-your-organization/understanding-your-organizations-exposure-to-leaked-secrets/choosing-github-secret-protection).  
+
+Prerequisites for Secret Scanning:  
+- **Secret protection** must be enabled. To enable this, go to your repository settings, click on **Advanced Security**, then click on **Enable** for **Secret Protection**.
+
+### Target
+
+#### Type
+import StoSettingScanTypeRepo from './shared/step-palette/target/type/repo.md';
+
+<StoSettingScanTypeRepo />
+
+#### Name
+import StoSettingTargetName from './shared/step-palette/target/name.md';
+
+<StoSettingTargetName />
+
+#### Variant
+import StoSettingTargetVariant from './shared/step-palette/target/variant.md';
+
+<StoSettingTargetVariant />
+
+#### Workspace
+import StoSettingTargetWorkspace from './shared/step-palette/target/workspace.md';
+
+<StoSettingTargetWorkspace />
+
+### Ingestion File
+import StoSettingIngestionFile from './shared/step-palette/ingest/file.md';
+
+<StoSettingIngestionFile />
+
+### Authentication
+
+#### Access Token
+import StoSettingAuthAccessToken from './shared/step-palette/auth/access-token.md';
+
+<StoSettingAuthAccessToken />
+
+Use a GitHub fine-grained **Personal Access Token (PAT)** with the following repository permissions:
+
+| **Scan Mode** | **Permission**          | **Level**     |
+|---------------|--------------------------|---------------|
+| **Orchestration** (CodeQL, Dependabot) | Code scanning alerts   | Read & Write |
+|               | Dependabot alerts       | Read & Write |
+|               | Secret scanning alerts  | Read & Write |
+| **Extraction** (CodeQL, Dependabot, Secret Scanning) | Code scanning alerts   | Read-only |
+|               | Dependabot alerts       | Read-only |
+|               | Secret scanning alerts  | Read-only |
+
+Make sure **Repository access** is set to *All repositories* or *Only selected repositories*.
+
+### Log Level
+import StoSettingLogLevel from './shared/step-palette/all/log-level.md';
+
+<StoSettingLogLevel />
+
+### Fail on Severity
+import StoSettingFailOnSeverity from './shared/step-palette/all/fail-on-severity.md';
+
+<StoSettingFailOnSeverity />
+
+### Additional Configuration
+import ScannerRefAdditionalConfigs from './shared/additional-config.md';
+
+<ScannerRefAdditionalConfigs />
+
+### Advanced Settings
+import ScannerRefAdvancedSettings from './shared/advanced-settings.md';
+
+<ScannerRefAdvancedSettings />
+
+## Proxy settings
+import ProxySettings from './shared/proxy-settings.md';
+
+<ProxySettings />
@@ -1,4 +1,3 @@
-
 :::info
 Static Analysis Results Interchange Format (SARIF) is an open JSON format supported by many scan tools, especially tools available as GitHub Actions. Harness STO can [ingest SARIF 2.1.0 data](/docs/security-testing-orchestration/custom-scanning/ingest-sarif-data) from any tool that supports this format.
 
@@ -26,6 +25,7 @@ Harness recommends that you publish and ingest using the scanner-specific JSON f
 - **Fortify on Demand** — JSON
 - **Fossa** — JSON
 - **Gitleaks** — JSON _(recommended)_, SARIF
+- **GitHub Advanced Security** — SARIF
 - **HQL AppScan** — XML 
 - **Grype** — JSON
 - **Mend _(formerly Whitesource)_** — JSON  

@@ -51,6 +51,7 @@ A code scanner can detect one or more of the following issue types in your sourc
             <li><a href="/docs/security-testing-orchestration/sto-techref-category/fortify-on-demand-scanner-reference">Fortify on Demand</a> Orchestration, Extraction, Ingestion</li>
             <li><a href="/docs/security-testing-orchestration/sto-techref-category/fortify-scanner-reference">Fortify Static Code Analyzer</a> Ingestion</li>
             <li><a href="/docs/security-testing-orchestration/sto-techref-category/fossa-scanner-reference">Fossa</a> Ingestion</li>
+            <li><a href="/docs/security-testing-orchestration/sto-techref-category/github-advanced-security">GitHub Advanced Security</a> Orchestration, Extraction, Ingestion</li>
             <li><a href="/docs/security-testing-orchestration/sto-techref-category/mend-scanner-reference">Mend (formerly WhiteSource)</a> Orchestration, Extraction, Ingestion</li>
               <li><a href="/docs/security-testing-orchestration/sto-techref-category/nexus-scanner-reference">Nexus IQ</a> Orchestration, Extraction, Ingestion </li>
             <li><a href="/docs/security-testing-orchestration/sto-techref-category/qwiet-scanner-reference">Qwiet AI (formerly ShiftLeft)</a> Orchestration, Extraction, Ingestion</li>