STO: Document ModelScan Step (#11575)

* Document ModelScan

* Add Ingestion mode

* Add limitations

* Add ModelScan to Scanners list

Author: tejakummarikuntla

docs/security-testing-orchestration/set-up-scans/shared/ai-scanners.md

@@ -0,0 +1 @@
+1. **[ModelScan](/docs/security-testing-orchestration/sto-techref-category/modelscan)**

docs/security-testing-orchestration/sto-techref-category/github-advanced-security.md

@@ -83,6 +83,14 @@ import StoSettingScanTypeRepo from './shared/step-palette/target/type/repo.md';
 
 <StoSettingScanTypeRepo />
 
+#### Target and variant detection 
+
+import StoSettingScanTypeAutodetectRepo from './shared/step-palette/target/auto-detect/code-repo.md';
+import StoSettingScanTypeAutodetectNote from './shared/step-palette/target/auto-detect/note.md';
+
+<StoSettingScanTypeAutodetectRepo/>
+<StoSettingScanTypeAutodetectNote/>
+
 #### Name
 import StoSettingTargetName from './shared/step-palette/target/name.md';
 

docs/security-testing-orchestration/sto-techref-category/modelscan.md

@@ -0,0 +1,121 @@
+---
+title: ModelScan Step Configuration
+description: Scan machine learning models with ModelScan.
+sidebar_label: ModelScan Step Configuration
+sidebar_position: 240
+---
+
+<DocsTag text="Code repo scanners" backgroundColor="#cbe2f9" textColor="#0b5cad" link="/docs/security-testing-orchestration/whats-supported/scanners?view-by=target-type#code-repo-scanners" />
+<DocsTag text="Orchestration" backgroundColor="#e3cbf9" textColor="#5c0bad" link="/docs/security-testing-orchestration/get-started/key-concepts/run-an-orchestrated-scan-in-sto" />
+<DocsTag text="Ingestion" backgroundColor="#e3cbf9" textColor="#5c0bad" link="/docs/security-testing-orchestration/get-started/key-concepts/ingest-scan-results-into-an-sto-pipeline" />
+<br/>
+<br/>
+
+The **ModelScan** step in Harness STO uses the open-source scanner [ModelScan](https://github.com/protectai/modelscan) to scan your machine learning (ML) models for security vulnerabilities. You can perform **ModelScan** scans in both **[Orchestration](#scan-mode)** and **[Ingestion](#scan-mode)** modes. This document will guide you through configuring the **ModelScan** step in your STO pipeline.
+
+:::info
+- To run scans as a non-root user, you can use custom STO scan images and pipelines. See [Configure your pipeline to use STO images from private registry](/docs/security-testing-orchestration/use-sto/set-up-sto-pipelines/configure-pipeline-to-use-sto-images-from-private-registry).
+- STO supports multiple workflows for loading self-signed certificates. See [Run STO scans with custom SSL certificates](/docs/security-testing-orchestration/use-sto/secure-sto-pipelines/ssl-setup-in-sto/#supported-workflows-for-adding-custom-ssl-certificates).
+:::
+
+### Supported ML Libraries and Formats
+
+The following table lists the ML libraries and serialization formats, along with their support status in the **ModelScan** step.
+
+| ML Library                                   | Serialization Format                 | Support Status   |
+| :------------------------------------------- | :----------------------------------- | :--------------- |
+| Pytorch                                      | Pickle                               | ✅ Supported     |
+| Keras                                        | HD5 (Hierarchical Data Format)       | ✅ Supported     |
+| Classic ML Libraries (Sklearn, XGBoost, etc.) | Pickle, Cloudpickle, Dill, Joblib    | ✅ Supported     |
+| TensorFlow                                   | Protocol Buffer                      | ❌ Not Supported |
+| Keras                                        | Keras V3 (Hierarchical Data Format)  | ❌ Not Supported |
+
+Scanning ML models in **binary files** is not supported. Your models must be in one of the supported formats listed above.
+
+## ModelScan step settings
+
+The recommended workflow is to add a **ModelScan** step to a **Security** or **Build** stage and then configure it as described below.
+
+### Scan Mode
+
+- **Orchestration mode**: In this mode, the step executes the scan, then processes the results by normalizing and deduplicating them.
+- **Ingestion mode**: In this mode, the **ModelScan** step ingests scan results from a specified file. The scan results file must be in JSON format.
+
+### Scan Configuration
+
+import StoSettingProductConfigName from './shared/step-palette/scan/config-name.md';
+
+<StoSettingProductConfigName />
+
+### Target
+
+#### Type
+
+import StoSettingScanTypeRepo from './shared/step-palette/target/type/repo.md';
+
+<StoSettingScanTypeRepo />
+
+You can also scan models stored in **Hugging Face** repositories by using the [Harness GitHub connector](/docs/platform/connectors/code-repositories/connect-to-code-repo), configured to connect to your Hugging Face account.
+
+#### Target and variant detection 
+
+import StoSettingScanTypeAutodetectRepo from './shared/step-palette/target/auto-detect/code-repo.md';
+import StoSettingScanTypeAutodetectNote from './shared/step-palette/target/auto-detect/note.md';
+
+<StoSettingScanTypeAutodetectRepo/>
+<StoSettingScanTypeAutodetectNote/>
+
+#### Name
+
+import StoSettingTargetName from './shared/step-palette/target/name.md';
+
+<StoSettingTargetName />
+
+#### Variant
+
+import StoSettingTargetVariant from './shared/step-palette/target/variant.md';
+
+<StoSettingTargetVariant />
+
+#### Workspace
+
+import StoSettingTargetWorkspace from './shared/step-palette/target/workspace.md';
+
+<StoSettingTargetWorkspace />
+
+### Ingestion File
+
+import StoSettingIngestionFile from './shared/step-palette/ingest/file.md';
+
+<StoSettingIngestionFile />
+
+The ingestion file must be in `JSON` format.
+
+### Log Level
+
+import StoSettingLogLevel from './shared/step-palette/all/log-level.md';
+
+<StoSettingLogLevel />
+
+### Fail on Severity
+
+import StoSettingFailOnSeverity from './shared/step-palette/all/fail-on-severity.md';
+
+<StoSettingFailOnSeverity />
+
+### Additional Configuration
+
+import ScannerRefAdditionalConfigs from './shared/additional-config.md';
+
+<ScannerRefAdditionalConfigs />
+
+### Advanced settings
+
+import ScannerRefAdvancedSettings from './shared/advanced-settings.md';
+
+<ScannerRefAdvancedSettings />
+
+## Proxy settings
+import ProxySettings from './shared/proxy-settings.md';
+
+<ProxySettings />

docs/security-testing-orchestration/sto-techref-category/shared/step-palette/ingest/file.md

@@ -1,6 +1,6 @@
 The path to your scan results when running an [Ingestion scan](/docs/security-testing-orchestration/get-started/key-concepts/ingest-scan-results-into-an-sto-pipeline), for example `/shared/scan_results/myscan.latest.sarif`.  
 
-- The data file must be in a [supported format](/docs/security-testing-orchestration/sto-techref-category/security-step-settings-reference#ingestion-formats-supported-by-sto) for the scanner.
+- The data file must be in a [supported format](/docs/security-testing-orchestration/whats-supported/scanners#supported-ingestion-formats) for the scanner.
 
 - The data file must be accessible to the scan step. It's good practice to save your results files to a [shared path](/docs/continuous-integration/get-started/key-concepts#stages) in your stage. In the visual editor, go to the stage where you're running the scan. Then go to **Overview** > **Shared Paths**. You can also add the path to the YAML stage definition like this:  
 

docs/security-testing-orchestration/sto-techref-category/shared/step-palette/target/auto-detect/note.md

@@ -1,3 +1,3 @@
 Note the following:
-- **Auto** is not available when the **Scan Mode** is **Ingestion**. 
-- **Auto** is the default selection for new pipelines. Manual is the default for old pipelines, but you might find that neither radio button is selected in the UI.
+- **Auto** is not available when the **Scan Mode** is **Ingestion**.
+- By default, **Auto** is selected when you add the step. You can change this setting if needed.

docs/security-testing-orchestration/sto-techref-category/shared/sto-supported-ingestion-formats.md

@@ -29,6 +29,7 @@ Harness recommends that you publish and ingest using the scanner-specific JSON f
 - **HQL AppScan** — XML 
 - **Grype** — JSON
 - **Mend _(formerly Whitesource)_** — JSON  
+- **ModelScan** — JSON
 - **Nessus** — XML
 - **Nexus** — JSON
 - **Nikto** — XML

docs/security-testing-orchestration/sto-techref-category/shared/sto-supported-scanners.md

@@ -27,12 +27,13 @@ A code scanner can detect one or more of the following issue types in your sourc
     <tr>
         <td valign="top">
           <ul>
-          <li><a href="/docs/security-testing-orchestration/sto-techref-category/trivy/aqua-trivy-scanner-reference">Aqua Trivy</a>  Orchestration, Ingestion </li>
+          <li><a href="/docs/security-testing-orchestration/sto-techref-category/aqua-trivy-scanner-reference">Aqua Trivy</a>  Orchestration, Ingestion </li>
           <li><a href="/docs/security-testing-orchestration/sto-techref-category/bandit-scanner-reference">Bandit</a>  Orchestration, Ingestion </li>
            <li><a href="/docs/security-testing-orchestration/sto-techref-category/brakeman-scanner-reference">Brakeman</a> Orchestration, Ingestion </li>
            <li><a href="/docs/security-testing-orchestration/sto-techref-category/coverity-scanner-reference">Coverity</a> Ingestion </li>
            <li><a href="/docs/security-testing-orchestration/sto-techref-category/gitleaks-scanner-reference">Gitleaks</a> Orchestration, Ingestion </li> 
            <li><a href="/docs/security-testing-orchestration/sto-techref-category/grype/grype-scanner-reference">Grype</a>  Orchestration, Ingestion </li>
+           <li><a href="/docs/security-testing-orchestration/sto-techref-category/modelscan">ModelScan</a> Orchestration, Ingestion </li>
             <li><a href="/docs/security-testing-orchestration/sto-techref-category/osv-scanner-reference">Open Source Vulnerabilities (OSV)</a> Orchestration, Ingestion </li>
             <li><a href="/docs/security-testing-orchestration/sto-techref-category/owasp-scanner-reference">OWASP Dependency Check</a> Orchestration, Ingestion</li>  
             <li><a href="/docs/security-testing-orchestration/sto-techref-category/reapsaw-scanner-reference">Reapsaw</a> Ingestion</li>

docs/security-testing-orchestration/whats-supported/scanners.md

@@ -37,6 +37,7 @@ Here are the list of scanners supported by STO by scan type.
 - [Container Scanners](#container-scanners)
 - [Dynamic Application Security Testing - DAST Scanners](#dynamic-application-security-testing---dast-scanners)
 - [Infrastructure as Code - IaC Scanners](#infrastructure-as-code---iac-scanners)
+- [AI Scanners](#ai-scanners)
 
 In addition to the listed supported scanners, the [Custom Scan step](/docs/security-testing-orchestration/custom-scanning/custom-scan-reference) allows the use of various other scanners. For a complete list of supported scanners, refer to [Scanners Supported with Custom Scan Step](#scanners-supported-with-custom-scan-step).
 
@@ -100,6 +101,13 @@ import IacScanners from '/docs/security-testing-orchestration/set-up-scans/share
 
 <IacScanners />
 
+### AI Scanners
+AI Scanners are helps you to identify vulnerabilities in your ML models. To configure and run AI scanners, refer to [ModelScan](/docs/security-testing-orchestration/sto-techref-category/modelscan) step documentation.
+
+<!-- import AiScanners from '/docs/security-testing-orchestration/set-up-scans/shared/ai-scanners.md';
+
+<AiScanners /> -->
+
 In addition to the listed supported scanners, the [Custom Scan step](/docs/security-testing-orchestration/custom-scanning/custom-scan-reference) allows the use of various other scanners. For a complete list of supported scanners, refer to [Scanners Supported with Custom Scan Step](#scanners-supported-with-custom-scan-step).
 
 ---