If you discover a security vulnerability, please report it responsibly.

Do not open a public issue. Instead, email security concerns to: security@harness-engineering.dev

We will acknowledge receipt within 48 hours and provide a timeline for a fix.

Harness includes a built-in security scanner that runs as part of the CI check pipeline. It detects common vulnerabilities with zero external dependencies.

The scanner automatically detects your tech stack and applies additional rules:

• Node.js: Prototype pollution, NoSQL injection
• Express: Missing helmet, rate limiting
• React: Sensitive data in localStorage
• Go: Unsafe pointers, format string injection

Add a security section to harness.config.json:

{
  "security": {
    "enabled": true,
    "strict": false,
    "rules": {
      "SEC-NET-003": "off"
    },
    "exclude": ["**/node_modules/**", "**/dist/**", "**/*.test.ts"]
  }
}

• strict: true — Promotes all warnings to errors
• rules — Override severity per-rule. Supports wildcards: "SEC-INJ-*": "off"
• exclude — Glob patterns for files to skip

• CI Pipeline: Runs automatically as the security check in harness ci check
• Pre-commit: Integrated into harness-pre-commit-review skill
• Code Review: Security phase built into harness-code-review and harness-integrity skills
• Deep Audit: Use /harness:security-review for a thorough security audit with AI analysis
• MCP Tool: run_security_scan available for programmatic access

• External tool integration: Semgrep and Gitleaks support via detect-delegate-merge adapter. When installed, the scanner will delegate to these tools for deeper coverage and report coverage: enhanced instead of baseline.
• ESLint security rules: Security-specific rules generated via harness-linter.yml