Skip to main content

2026

April

Highlights: API enhancements, CLI enhancements, Go OSS dependencies, New Scans page

  • API enhancements: A dedicated PATCH endpoint is now available to configure an application's Default Branch. A companion RBAC scope is also available for use in Custom Roles. PATCH endpoints are also available to configure the Organization, Teams, and Applications. Finally, a new API endpoint allows Super Admins to reset Personal Access Tokens of SAML users.
  • CLI enhancements: A new finding status command is now available. This command allows users to view and set a finding status from within the comfort of their terminal. Read the documentation for additional details.
  • Go OSS dependencies: A new application setting now allows you to enable the analysis of all Go OSS dependencies, instead of only the dependencies that are part of the build (the default behavior).
  • New Scans page: A new Scans page and experience is now available. This page allows users to paginate and select scans far beyond the traditional 10-scan limit. It also offers the option to select and view IDE scans. A bar chart shows the number of findings for each scan, and when hovering, users can see a breakdown by severity.

March

Highlights: AutoFix GitHub app, OSS Risks, CLI improvements, Secure AI Coding (beta), Refreshed UI look & feel

  • AutoFix GitHub app: This new GitHub application creates AutoFix Pull Requests. It also allows users to interact with the AI Agents in the Pull Request comments.
  • OSS Risks: In addition to identifying open source vulnerabilities, Harness SAST and SCA can now detect OSS dependency risks such as Malicious Package, Abandoned Package, Hijackable Repository, and Typosquatting. Additionally, a new Application setting allows you to enable the analysis of JavaScript development dependencies.
  • CLI improvements: The CLI now automatically removes older CPG frontends and other dependencies, in order to save on disk space. When using option --container-sca-only-upload, a target directory is no longer required.
  • Secure AI Coding (beta): Instead of relying solely on pull requests or CI/CD pipelines to detect issues later, Secure AI Coding shifts security to the point where code is created. As soon as code is generated or updated in Cursor, Windsurf, and Claude Code, hooks trigger local and fast analysis that focuses on the changes introduced by the agent.
  • Refreshed UI look & feel: We’ve updated the look and feel of Harness SAST and SCA (Qwiet AI) to match the core Harness platform, making your workflow transitions smoother and more intuitive.

February

Highlights: VS Code extension improvements, Enhancements to Wiz integration

  • VS Code extension improvements: Added setting to enable/disable the analysis of development dependencies for JavaScript. Improved finding descriptions to include better mitigation steps and line numbering, particularly for OSS findings. Enhanced highlighting consistency for findings across the Terminal and Findings tab.
  • Enhancements to Wiz integration: Added the ability to toggle the upload of SAST findings, SCA findings, or both within Organization Settings. Learn more on the Wiz integration documentation page.

January

Highlights: Hard delete setting for SCIM Users, Container SCA only option, Support for Groovy, New CVE webhook notifications, VS Code extension improvements, Harness SAST and SCA

  • Hard delete setting for SCIM Users: New Hard Delete Users setting for SCIM, under Organization Settings. When enabled, instead of deactivating a user it will be permanently deleted. The identity provider will have to create the user and all its associated data and relationships again.
  • Container SCA only option: New option --container-sca-only-upload for sl analyze allows to run a container SCA only and skip SAST and other processing steps. For more information, see the container documentation page.
  • Support for Groovy: Harness SAST and SCA can now analyze applications written in the Groovy programming language. For more information, see the Groovy documentation page.
  • New CVE webhook notifications: You can now receive webhook notifications when new CVEs have been published for an application that's been previously analyzed. This option can be enabled in the Organization Settings page.
  • VS Code extension improvements: The Harness SAST and SCA extension for VS Code can now detect dependency vulnerabilities as soon as a manifest file (e.g. requirements.txt) is saved. You can now also find the extension in the Open VSX Registry, and it can be installed in Cursor, Windsurf, and other IDEs that support Open VSX.
  • Harness SAST and SCA: Qwiet AI by Harness is now Harness SAST and SCA. The CLI, plugins, extensions, integrations, and other product offerings have been updated to reflect the new branding. Additionally, Harness SAST and SCA is now available natively within the Harness Security Testing Orchestration (STO) solution.