Merge remote-tracking branch 'refs/remotes/origin/main'

Author: Vasundhara-Shukla

docs/security-testing-orchestration/set-up-scans/shared/ai-scanners.md

@@ -0,0 +1 @@
+1. **[ModelScan](/docs/security-testing-orchestration/sto-techref-category/modelscan)**

docs/security-testing-orchestration/sto-techref-category/github-advanced-security.md

@@ -83,6 +83,14 @@ import StoSettingScanTypeRepo from './shared/step-palette/target/type/repo.md';
 
 <StoSettingScanTypeRepo />
 
+#### Target and variant detection 
+
+import StoSettingScanTypeAutodetectRepo from './shared/step-palette/target/auto-detect/code-repo.md';
+import StoSettingScanTypeAutodetectNote from './shared/step-palette/target/auto-detect/note.md';
+
+<StoSettingScanTypeAutodetectRepo/>
+<StoSettingScanTypeAutodetectNote/>
+
 #### Name
 import StoSettingTargetName from './shared/step-palette/target/name.md';
 

docs/security-testing-orchestration/sto-techref-category/modelscan.md

@@ -0,0 +1,121 @@
+---
+title: ModelScan Step Configuration
+description: Scan machine learning models with ModelScan.
+sidebar_label: ModelScan Step Configuration
+sidebar_position: 240
+---
+
+<DocsTag text="Code repo scanners" backgroundColor="#cbe2f9" textColor="#0b5cad" link="/docs/security-testing-orchestration/whats-supported/scanners?view-by=target-type#code-repo-scanners" />
+<DocsTag text="Orchestration" backgroundColor="#e3cbf9" textColor="#5c0bad" link="/docs/security-testing-orchestration/get-started/key-concepts/run-an-orchestrated-scan-in-sto" />
+<DocsTag text="Ingestion" backgroundColor="#e3cbf9" textColor="#5c0bad" link="/docs/security-testing-orchestration/get-started/key-concepts/ingest-scan-results-into-an-sto-pipeline" />
+<br/>
+<br/>
+
+The **ModelScan** step in Harness STO uses the open-source scanner [ModelScan](https://github.com/protectai/modelscan) to scan your machine learning (ML) models for security vulnerabilities. You can perform **ModelScan** scans in both **[Orchestration](#scan-mode)** and **[Ingestion](#scan-mode)** modes. This document will guide you through configuring the **ModelScan** step in your STO pipeline.
+
+:::info
+- To run scans as a non-root user, you can use custom STO scan images and pipelines. See [Configure your pipeline to use STO images from private registry](/docs/security-testing-orchestration/use-sto/set-up-sto-pipelines/configure-pipeline-to-use-sto-images-from-private-registry).
+- STO supports multiple workflows for loading self-signed certificates. See [Run STO scans with custom SSL certificates](/docs/security-testing-orchestration/use-sto/secure-sto-pipelines/ssl-setup-in-sto/#supported-workflows-for-adding-custom-ssl-certificates).
+:::
+
+### Supported ML Libraries and Formats
+
+The following table lists the ML libraries and serialization formats, along with their support status in the **ModelScan** step.
+
+| ML Library                                   | Serialization Format                 | Support Status   |
+| :------------------------------------------- | :----------------------------------- | :--------------- |
+| Pytorch                                      | Pickle                               | ✅ Supported     |
+| Keras                                        | HD5 (Hierarchical Data Format)       | ✅ Supported     |
+| Classic ML Libraries (Sklearn, XGBoost, etc.) | Pickle, Cloudpickle, Dill, Joblib    | ✅ Supported     |
+| TensorFlow                                   | Protocol Buffer                      | ❌ Not Supported |
+| Keras                                        | Keras V3 (Hierarchical Data Format)  | ❌ Not Supported |
+
+Scanning ML models in **binary files** is not supported. Your models must be in one of the supported formats listed above.
+
+## ModelScan step settings
+
+The recommended workflow is to add a **ModelScan** step to a **Security** or **Build** stage and then configure it as described below.
+
+### Scan Mode
+
+- **Orchestration mode**: In this mode, the step executes the scan, then processes the results by normalizing and deduplicating them.
+- **Ingestion mode**: In this mode, the **ModelScan** step ingests scan results from a specified file. The scan results file must be in JSON format.
+
+### Scan Configuration
+
+import StoSettingProductConfigName from './shared/step-palette/scan/config-name.md';
+
+<StoSettingProductConfigName />
+
+### Target
+
+#### Type
+
+import StoSettingScanTypeRepo from './shared/step-palette/target/type/repo.md';
+
+<StoSettingScanTypeRepo />
+
+You can also scan models stored in **Hugging Face** repositories by using the [Harness GitHub connector](/docs/platform/connectors/code-repositories/connect-to-code-repo), configured to connect to your Hugging Face account.
+
+#### Target and variant detection 
+
+import StoSettingScanTypeAutodetectRepo from './shared/step-palette/target/auto-detect/code-repo.md';
+import StoSettingScanTypeAutodetectNote from './shared/step-palette/target/auto-detect/note.md';
+
+<StoSettingScanTypeAutodetectRepo/>
+<StoSettingScanTypeAutodetectNote/>
+
+#### Name
+
+import StoSettingTargetName from './shared/step-palette/target/name.md';
+
+<StoSettingTargetName />
+
+#### Variant
+
+import StoSettingTargetVariant from './shared/step-palette/target/variant.md';
+
+<StoSettingTargetVariant />
+
+#### Workspace
+
+import StoSettingTargetWorkspace from './shared/step-palette/target/workspace.md';
+
+<StoSettingTargetWorkspace />
+
+### Ingestion File
+
+import StoSettingIngestionFile from './shared/step-palette/ingest/file.md';
+
+<StoSettingIngestionFile />
+
+The ingestion file must be in `JSON` format.
+
+### Log Level
+
+import StoSettingLogLevel from './shared/step-palette/all/log-level.md';
+
+<StoSettingLogLevel />
+
+### Fail on Severity
+
+import StoSettingFailOnSeverity from './shared/step-palette/all/fail-on-severity.md';
+
+<StoSettingFailOnSeverity />
+
+### Additional Configuration
+
+import ScannerRefAdditionalConfigs from './shared/additional-config.md';
+
+<ScannerRefAdditionalConfigs />
+
+### Advanced settings
+
+import ScannerRefAdvancedSettings from './shared/advanced-settings.md';
+
+<ScannerRefAdvancedSettings />
+
+## Proxy settings
+import ProxySettings from './shared/proxy-settings.md';
+
+<ProxySettings />

docs/security-testing-orchestration/sto-techref-category/shared/step-palette/ingest/file.md

@@ -1,6 +1,6 @@
 The path to your scan results when running an [Ingestion scan](/docs/security-testing-orchestration/get-started/key-concepts/ingest-scan-results-into-an-sto-pipeline), for example `/shared/scan_results/myscan.latest.sarif`.  
 
-- The data file must be in a [supported format](/docs/security-testing-orchestration/sto-techref-category/security-step-settings-reference#ingestion-formats-supported-by-sto) for the scanner.
+- The data file must be in a [supported format](/docs/security-testing-orchestration/whats-supported/scanners#supported-ingestion-formats) for the scanner.
 
 - The data file must be accessible to the scan step. It's good practice to save your results files to a [shared path](/docs/continuous-integration/get-started/key-concepts#stages) in your stage. In the visual editor, go to the stage where you're running the scan. Then go to **Overview** > **Shared Paths**. You can also add the path to the YAML stage definition like this:  
 

docs/security-testing-orchestration/sto-techref-category/shared/step-palette/target/auto-detect/note.md

@@ -1,3 +1,3 @@
 Note the following:
-- **Auto** is not available when the **Scan Mode** is **Ingestion**. 
-- **Auto** is the default selection for new pipelines. Manual is the default for old pipelines, but you might find that neither radio button is selected in the UI.
+- **Auto** is not available when the **Scan Mode** is **Ingestion**.
+- By default, **Auto** is selected when you add the step. You can change this setting if needed.

docs/security-testing-orchestration/sto-techref-category/shared/sto-supported-ingestion-formats.md

@@ -29,6 +29,7 @@ Harness recommends that you publish and ingest using the scanner-specific JSON f
 - **HQL AppScan** — XML 
 - **Grype** — JSON
 - **Mend _(formerly Whitesource)_** — JSON  
+- **ModelScan** — JSON
 - **Nessus** — XML
 - **Nexus** — JSON
 - **Nikto** — XML

docs/security-testing-orchestration/sto-techref-category/shared/sto-supported-scanners.md

@@ -27,12 +27,13 @@ A code scanner can detect one or more of the following issue types in your sourc
     <tr>
         <td valign="top">
           <ul>
-          <li><a href="/docs/security-testing-orchestration/sto-techref-category/trivy/aqua-trivy-scanner-reference">Aqua Trivy</a>  Orchestration, Ingestion </li>
+          <li><a href="/docs/security-testing-orchestration/sto-techref-category/aqua-trivy-scanner-reference">Aqua Trivy</a>  Orchestration, Ingestion </li>
           <li><a href="/docs/security-testing-orchestration/sto-techref-category/bandit-scanner-reference">Bandit</a>  Orchestration, Ingestion </li>
            <li><a href="/docs/security-testing-orchestration/sto-techref-category/brakeman-scanner-reference">Brakeman</a> Orchestration, Ingestion </li>
            <li><a href="/docs/security-testing-orchestration/sto-techref-category/coverity-scanner-reference">Coverity</a> Ingestion </li>
            <li><a href="/docs/security-testing-orchestration/sto-techref-category/gitleaks-scanner-reference">Gitleaks</a> Orchestration, Ingestion </li> 
            <li><a href="/docs/security-testing-orchestration/sto-techref-category/grype/grype-scanner-reference">Grype</a>  Orchestration, Ingestion </li>
+           <li><a href="/docs/security-testing-orchestration/sto-techref-category/modelscan">ModelScan</a> Orchestration, Ingestion </li>
             <li><a href="/docs/security-testing-orchestration/sto-techref-category/osv-scanner-reference">Open Source Vulnerabilities (OSV)</a> Orchestration, Ingestion </li>
             <li><a href="/docs/security-testing-orchestration/sto-techref-category/owasp-scanner-reference">OWASP Dependency Check</a> Orchestration, Ingestion</li>  
             <li><a href="/docs/security-testing-orchestration/sto-techref-category/reapsaw-scanner-reference">Reapsaw</a> Ingestion</li>

docs/security-testing-orchestration/whats-supported/scanners.md

@@ -37,6 +37,7 @@ Here are the list of scanners supported by STO by scan type.
 - [Container Scanners](#container-scanners)
 - [Dynamic Application Security Testing - DAST Scanners](#dynamic-application-security-testing---dast-scanners)
 - [Infrastructure as Code - IaC Scanners](#infrastructure-as-code---iac-scanners)
+- [AI Scanners](#ai-scanners)
 
 In addition to the listed supported scanners, the [Custom Scan step](/docs/security-testing-orchestration/custom-scanning/custom-scan-reference) allows the use of various other scanners. For a complete list of supported scanners, refer to [Scanners Supported with Custom Scan Step](#scanners-supported-with-custom-scan-step).
 
@@ -100,6 +101,13 @@ import IacScanners from '/docs/security-testing-orchestration/set-up-scans/share
 
 <IacScanners />
 
+### AI Scanners
+AI Scanners are helps you to identify vulnerabilities in your ML models. To configure and run AI scanners, refer to [ModelScan](/docs/security-testing-orchestration/sto-techref-category/modelscan) step documentation.
+
+<!-- import AiScanners from '/docs/security-testing-orchestration/set-up-scans/shared/ai-scanners.md';
+
+<AiScanners /> -->
+
 In addition to the listed supported scanners, the [Custom Scan step](/docs/security-testing-orchestration/custom-scanning/custom-scan-reference) allows the use of various other scanners. For a complete list of supported scanners, refer to [Scanners Supported with Custom Scan Step](#scanners-supported-with-custom-scan-step).
 
 ---

release-notes/continuous-delivery.md

@@ -55,6 +55,50 @@ For more information on GCR, see the [Harness GCR Documentation](/docs/continuou
 
 ## September 2025
 
+### Version 1.108.2
+
+#### New Features and Enhancements:
+
+- Harness now supports bearer token-based auth for the Bitbucket connector. This allows users to set up 
+  authentication for the Bitbucket connector using an access token which can be generated via Bitbucket. (**PIPE-28671**, **ZD-82455**)
+
+#### Breaking Changes:
+  
+- Users can now create asynchronous plan creation for pipeline executions to improve performance and scalability. To make this possible, the following breaking changes are coming to the Pipeline Execution API:
+
+  - **Execution Status Changes:** 
+    - Pipeline executions will now start with `QUEUED_PLAN_CREATION` status.
+    - Executions will transition to `RUNNING` status asynchronously after plan creation and policy evaluation are completed. 
+  - **API Response Changes:**
+    - Execute API Response: Governance metadata will no longer be immediately available.
+    - Layout Node Map: Will be empty or incomplete immediately after execution starts.
+    - Data Availability: Complete execution data will be available after plan creation completes (typically within a few seconds).
+  - **Required Actions for Automation Scripts:** 
+If your automation relies on the Execute API response, you must make the following changes/additions in your scripts:
+    - Add a delay: Wait 3-5 seconds after calling the Execute API.
+    - Call Summary API: Use the Pipeline Execution Summary API to retrieve complete execution details.
+    - Check execution status: Ensure execution has moved from QUEUED_PLAN_CREATION to RUNN.ING before proceeding
+This enhancement is currently controlled by feature flags `PIPE_ENABLE_QUEUE_BASED_PLAN_CREATION` and `PIPE_ENABLE_QUEUE_BASED_PLAN_CREATION_FOR_TRIGGER_EXECUTIONS` and will be generally available by end of October.
+
+ #### Behavior Changes:
+
+- We have improved the visibility of pipeline executions in the notification section. Previously, only executions containing at least one CD stage were displayed in the running, waiting for approval, and failed execution notifications. With this enhancement, you can now view all pipeline executions regardless of the module type (CI, CD, etc.) by enabling the feature flag `PIPE_SHOW_ALL_EXECUTIONS_ON_ACCOUNT_OVERVIEW_PAGE`. The general availability for this feature is scheduled for four weeks from now. (**PIPE-26930**)   
+
+- We have introduced a feature update for Audit Trail to ensure consistency across the audit logs.
+  This update changes how pipeline actions are identified. Prior to this update, we utilized the **Pipeline Name** to represent the **Create**, **Update**, **Delete**, and **Move Config** pipeline actions in the audit logs. In contrast, **Pipeline Identifier** are used to represent the **Start**, **End**, **Abort**, and **Timeout** actions.
+  - With this update: **Create**, **Update**, **Delete**, and **Move Config** actions are represented through the **Pipeline Identifier**. This change aligns the behavior across all the logs associated with pipeline actions in the Audit Trail, ensuring the use of a single and consistent identifier.
+  - This feature is currently behind the feature flag `PIPE_USE_PIPELINE_IDENTIFIER_IN_AUDIT_LOGS`. If you enable this feature flag, please make sure you **update your integration points** to accommodate this change. (**PIPE-28870**)
+
+#### Fixed Issues:
+
+- Fixed issues with multi-environment deployments for GitOps Pipelines. Now, users can perform multi-environment deployments through GitOps Pipeline stages. (**CDS-113581, ZD-91288**)
+- Fixed an issue that caused the rollback stage to get skipped when using parallel steps in the pipeline. With this fix, we ensure the users that the rollback stage is always executed when using parallel steps in the pipeline. (**PIPE-28864, ZD-89332**)
+- Fixed an issue where the error message for `winrm copy artifact` was not being propagated correctly when failing to fetch AWS credentials. The error message is now correctly displayed to users when this error occurs. (**CDS-97836**, **ZD-64870**)
+- Fixed an issue that was causing the environment tag filters not to work properly. Now, environment tag filters are working as expected. (**CDS-113958**)
+- Fixed issues that led to the Harness error page coming up frequently while navigating to links within Harness. (**PIPE-29416**)
+- Fixed issues with the `Run Pipeline Button`, which, when pressed multiple times, triggered multiple executions. This fix ensures that only a single execution is triggered after pressing the button. (**PIPE-29136**, **ZD-90223**)
+
+
 ### GitOps Service 1.41.1, GitOps Agent 0.101.0
 
 #### Fixed Issues

release-notes/feature-flags.md

@@ -1,7 +1,7 @@
 ---
 title: Feature Flags release notes
 sidebar_label: Feature Flags
-date: 2025-09-11T08:09:25
+date: 2025-09-18T08:09:25
 tags: [NextGen, "feature flags"]
 sidebar_position: 11
 ---
@@ -26,7 +26,7 @@ Follow this template to sort your release notes into the correct headline:
 Harness deploys changes to Harness SaaS clusters on a progressive basis. This means that the features and fixes that these release notes describe may not be immediately available in your cluster. To identify the cluster that hosts your account, go to the **Account Overview** page. 
 :::
 
-#### Last updated: September 11, 2025
+#### Last updated: September 18, 2025
 
 ## September 2025
 
@@ -40,6 +40,14 @@ Harness deploys changes to Harness SaaS clusters on a progressive basis. This me
 
 ## August 2025
 
+### JavaScript SDK
+
+#### Version 1.31.2
+
+**Bug fixes**:
+
+- Apply `client.registerAPIRequestMiddleware` to SDK streaming requests.
+
 ### React Native Client SDK
 
 #### Version 3.3.0