Windsurf

The Harness SAST and SCA extension for Windsurf enables you to shift security further left by identifying secrets and vulnerabilities as you write code, helping you resolve issues before they become backlog tickets.

Features

Harness SAST and SCA for Windsurf provides:

• SAST: Advanced static analysis to identify security vulnerabilities in your code
• SCA (Software Composition Analysis): Dependency vulnerability scanning to detect vulnerable open-source packages
• Secrets Detection: Pre-commit checks to identify secrets, API keys, and credentials before they're committed
• Real-time Analysis: Get instant feedback on security issues as you code
• Integration with Qwiet AI by Harness: View detailed results and manage findings in the Qwiet AI by Harness dashboard

Language support and requirements

Harness SAST and SCA for Windsurf currently:

• Supports the analysis of JavaScript, TypeScript, Python, C/C++, C#, Go, Java, PHP, Ruby.
• Requires the use of a workstation running Linux, macOS, or Windows.

Dependencies

Before proceeding with this extension, ensure that your workstation meets the prerequisites for using Harness SAST and SCA.

The extension will automatically download and install the latest version of the Harness SAST and SCA CLI for you. This will not affect the system version of the CLI (if you have it installed); these two versions will be maintained in parallel.

Ensure that you've added sl and node or python to your system PATH variable.

Installation

To install Harness SAST and SCA for Windsurf, obtain the extension by downloading it from the VSX Marketplace (Windsurf is compatible with VS Code extensions).

Alternatively, you can download it from Windsurf by opening the Extensions pane, search for Harness SAST and SCA, and click on Install.

Usage

Step 1: Authenticate your machine

The Harness SAST and SCA extension for Windsurf will leverage the information contained in your local configuration file (created when you installed the Harness SAST and SCA CLI) to authenticate your machine.

To authenticate your newly installed extension:

1. Click the Connect to Qwiet AI by Harness icon in your left-hand navigation bar to begin the process of authenticating with Qwiet AI by Harness.

2. Log into Qwiet AI by Harness when prompted (if necessary, create an account first).

3. Return to Windsurf and verify that your organization and user information are displayed in the topmost window of the left navigation bar.

Step 2: Open your project

1. In Windsurf, open the project you want scanned by Harness SAST and SCA.

2. Click the Harness SAST and SCA icon in the left-hand navigation bar to launch the extension.

3. If prompted, authenticate with Qwiet AI by Harness (if you're already authenticated, you'll see your User Profile information displayed instead).

Step 3: Access the extension's functionality via the command palette

You can find all of the extension's functionality under the Command Palette (open using Command + Shift + P for macOS or Control + Shift + P for Linux/Windows):

Option	Description
Analyze	Analyze your project
Connect	Connect your extension with your Qwiet AI by Harness account and organization
Contact Support	Launch your email client to contact Qwiet AI by Harness Support
Fetch Latest Scan Results	Get latest scan results
Focus on Assigned to Me View	Bring the Assigned to Me view into focus
Focus on Help & Support View	Bring the Help & Support view into focus
Focus on OSS Vulnerabilities View	Bring the OSS Vulnerabilities view into focus
Focus on Project Configuration View	Bring the Focus on Project Configuration view into focus
Focus on Secrets View	Bring the Secrets view into focus
Focus on User Profile View	Bring the User Profile view into focus
Focus on Vulnerabilities View	Bring the Vulnerabilities view into focus
Open Documentation	Open the documentation for the extension in a new browser window
Open Project Configuration	Open the project configuration/settings page
Pre Commit Check	Identify secrets present in your project
View: Show Harness SAST and SCA	Brings the extension-related windows into focus

Real time SCA and Secrets Detection

The Harness SAST and SCA extension enables developers to run SCA and secrets scans directly within Windsurf and view detailed results immediately in the code editor. The SCA scan identifies the open-source dependencies used in your project and highlights known security vulnerabilities associated with those packages. SCA findings are displayed in the Problems panel with severity level, CVE ID, affected package details and also the recommended package version to update

In addition, the extension performs local secrets detection to identify hardcoded credentials, API keys, and tokens in your code. Issues are flagged instantly,

Example: Run the pre-commit check for secrets

To run the pre-commit check that scans your project for secrets (passwords, API access keys, and other credentials that should not be publicly exposed) that you may inadvertently commit to your repository:

1. Open the project you're interested in scanning.

2. Open the Command Palette (use Command + Shift + P for macOS or Control + Shift + P for Linux/Windows), search for Harness SAST and SCA: Pre Commit Check, and select this option to begin the analysis.

3. Your results will appear under Problems. If you don't see this, open it with either Command + Shift + M (macOS) or Control + Shift + M (Linux/Windows).

4. To see where the secret appears, click on the result to go to the specific code location.

FAQ

1. Should I enable "Auto-update" feature on the Windsurf Extension?

Ans: "Auto-Update" is preferred, as it keeps the extension up to date. We recommend restarting Windsurf every time the extension is updated.

2. Scans on Windsurf are not working. How do I troubleshoot?

Ans: Validate if you are using the latest version of Windsurf and Harness SAST and SCA Extension from marketplace. Also try restarting your Windsurf application. If you still have issues with the scan operation, contact Qwiet AI by Harness Customer Success Team for assistance.

Help

Contact the Qwiet AI by Harness Customer Success Team for assistance.