harness · douglas-j-bothwell · Dec 20, 2023 · Dec 20, 2023
@@ -1,6 +1,6 @@
 {
     "label": "Key concepts in STO",
-    "position": 3,
+    "position": 40,
     "collapsible": "true",
     "collapsed": "true",
     "className": "red",

@@ -11,9 +11,8 @@ redirect_from:
 ---
 
 ```mdx-code-block
-import set_up_harness_19 from './static/set-up-harness-for-sto-19.png'
 import set_up_harness_20 from './static/set-up-harness-for-sto-20.png'
-import set_up_harness_20_NEW from './static/setup-tutorial-create-base-pipeline-select-module.png'
+import set_up_harness_20_NEW from './static/set_up_harness_20_NEW.png'
 import set_up_harness_21 from './static/set-up-harness-for-sto-21.png'
 import set_up_harness_22 from './static/set-up-harness-for-sto-22.png'
 import set_up_harness_23 from './static/set-up-harness-for-sto-23.png'
@@ -92,16 +91,25 @@ You need Administrative privileges at the Account level (Account Admin role) to
 
 You need a Harness build infrastructure to run scans in STO. First, review the supported build infrastructures in [What's supported in Harness STO](/docs/security-testing-orchestration/whats-supported). Then select the infrastructure you want to use: 
 
-- [Harness Cloud build infrastructure](#use-harness-cloud-build-infrastructure-for-sto) This is the simplest option. No initial setup is required. 
-- [Local Kubernetes build infrastructure](#install-a-kubernetes-delegate-for-sto) Recommended when you want to run ephemeral builds-at-scale in your own infrastructure.
-- [Local Docker build infrastructure](#install-a-local-docker-delegate-for-sto) Recommended for small, limited builds, such as a one-off build on your local machine.
+- [Harness Cloud](/docs/continuous-integration/use-ci/set-up-build-infrastructure/use-harness-cloud-build-infrastructure) 
 
-#### Use Harness Cloud build infrastructure for STO
+  This is the simplest option. Not initial setup is required. Run your pipelines on Harness-hosted VMs preconfigured with tools, packages, and settings commonly used in CI pipelines. 
 
-With Harness Cloud, you can run builds in isolation on Harness-hosted VMs that are preconfigured with tools, packages, and settings commonly used in CI pipelines. Harness hosts, maintains, and upgrades these machines so that you can focus on building software instead of maintaining build infrastructure. No initial setup is required.
+- [Local Kubernetes build infrastructure](docs/continuous-integration/use-ci/set-up-build-infrastructure/k8s-build-infrastructure/set-up-a-kubernetes-cluster-build-infrastructure/) 
 
-For more information, go to [Use Harness Cloud build infrastructure](/docs/continuous-integration/use-ci/set-up-build-infrastructure/use-harness-cloud-build-infrastructure).
+   Recommended when you want to run ephemeral builds-at-scale in your own infrastructure.
 
+- [Local Docker build infrastructure](/docs/continuous-integration/use-ci/set-up-build-infrastructure/define-a-docker-build-infrastructure) 
+
+   Recommended for small, limited builds, such as a one-off build on your local machine.
+
+:::note
+
+Kubernetes and Docker infrastructures might also require a Docker-in-Docker background step in your pipeline. For more information, go to [Docker-in-Docker requirements for STO](/docs/security-testing-orchestration/sto-techref-category/security-step-settings-reference#docker-in-docker-requirements-for-sto).
+
+:::
+
+<!-- 
 
 #### Install a Kubernetes delegate for STO
 
@@ -165,6 +173,8 @@ A local runner build infrastructure is recommended for small, limited builds, su
 
 For more information, go to [Set up a local runner build infrastructure](/docs/continuous-integration/use-ci/set-up-build-infrastructure/define-a-docker-build-infrastructure) in the CI documentation. 
 
+-->
+
 
 ### Create secrets for your Git and DockerHub access credentials
 
@@ -251,35 +261,37 @@ To do the STO tutorials, point the connector at the following repo: <https://git
 
 </details>
 
-## Create a base pipeline for STO
+## Next steps
 
-The following procedure creates a pipeline with the STO functionality required to run scans on your repos, images, and instances. Once you set up this pipeline, you can clone it to a new pipeline and update the pipeline to set up your scans. 
+Now that you've set up Harness, you're ready to start using STO.
 
-This workflow is covered in [Your first STO pipeline](/tutorials/security-tests/your-first-sto-pipeline).
+A good next step is to go through [Your first STO pipeline](/tutorials/security-tests/your-first-sto-pipeline). This tutorial covers the basic concepts of STO. You'll set up a standalone pipeline with one scanner, run scans, analyze the results, and learn how to investigate and fix detected vulnerabilities.
 
-### Add a Security Test stage
+The [STO tutorials](/tutorials/security-tests) also include a set of quickstarts and end-to-end workflows that show you how to create pipelines that you can apply to a wide variety of security-related use cases. 
 
-1. In the Pipeline Studio, select **Home** > **Projects** and choose the project where you want to create the pipeline.
+Happy scanning! 
 
-  <!-- import set-up-harness-19 from './static/set-up-harness-for-sto-19.png' -->
+<!-- 
 
-  ```mdx-code-block
-  <img src={set_up_harness_19} alt="Choose the project" height="50%" width="75%" />
-  ```
+## Create a base pipeline for STO
+
+The following procedure creates a pipeline with the STO functionality required to run scans on your repos, images, and instances. This pipeline uses [Bandit](https://github.com/PyCQA/bandit), an open-source tool designed to find common security issues in Python code.  Once you set up this pipeline, you can clone it to a new pipeline and update the pipeline to set up your scans. 
+
+This workflow is covered in [Your first STO pipeline](/tutorials/security-tests/your-first-sto-pipeline).
+
+### Add a Security Test stage
 
-  <!--  ![](./static/set-up-harness-for-sto-19.png) -->
+1. In the Pipeline Studio, go to the project where you want to create the pipeline.
 
-2. Select **Select Modules** (left menu) and then select **Security Tests**.
+2. Select **Security Testing Orchestration** (top left) > **Pipelines** > **Create a Pipeline**.
 
-<!-- 
   ```mdx-code-block
    <img src={set_up_harness_20_NEW} alt="Choose the STO module" height="50%" width="50%" />
   ```
-  -->
+
 
 3. In Create New Pipeline:
-	1. Select **Pipelines** > **Create a Pipeline**. 
-	2. In Create new Pipeline > Name, enter **sto-pipeline-base**.
+	1. For Name, enter **sto-pipeline-base**.
 	3. Select **Start**.
 
   ```mdx-code-block
@@ -289,8 +301,10 @@ This workflow is covered in [Your first STO pipeline](/tutorials/security-tests/
 4. In About your Stage:
 	1. Select **Add Stage** and then **Security Tests**.
 	2. Stage Name = **securityTestStage**
-	3. Connector = The connector you created in [Create a Codebase Connector](#create-a-codebase-connector).
-	4. Select **Set Up Stage**.
+	3. Configure Codebase:
+	   1. Select **Third-party Git provider** (if this option is available)
+	   2. Connector = The connector you created in [Create a Codebase Connector](#create-a-codebase-connector) 
+	   3. Repository Name = **dvpwa**
 
   ```mdx-code-block
    <img src={set_up_harness_22} alt="Set up the stage" height="50%" width="50%" />
@@ -326,7 +340,7 @@ In the **Execution** tab, do the following:
     ```mdx-code-block
      <img src={set_up_harness_25} alt="Configure the background step" height="75%" width="75%" />
     ```
--->
+
 
 ### Add a Bandit scanner step
 
@@ -336,7 +350,7 @@ import set_up_harness_26 from './static/configure-bandit-step.png'
 ```
 
 
-1. In the Execution tab, select **Add Step** and then **Bandit**.
+1. In the Execution tab, select **Add Step** > **Security Tests** > **Bandit**.
 2. Configure the step as follows:
 	1. Scan Mode = **`Orchestration`**
 	2. Target Name = `**dvpwa**`
@@ -361,8 +375,12 @@ import set_up_harness_26 from './static/configure-bandit-step.png'
 2. Select Git Branch, enter **master** for the branch name, and then select **Run Pipeline**.
 3. When the pipeline finishes, select the **Security Tests** tab to see the dashboard.
 
+
+
 # Congratulations!
 
 You now have the build infrastructure, connectors, and pipeline required to build a pipeline and run security scans. You can simply clone the pipeline you just created and configure new pipelines based on your security requirements.
 
 ![](./static/set-up-harness-for-sto-27.png)
+
+-->
@@ -1,20 +1,32 @@
 ---
 title: STO Tutorials
 description: Get started with STO
-sidebar_position: 4
+sidebar_position: 30
 redirect_from:
   - /docs/security-testing-orchestration/onboard-sto/sto-tutorials
 ---
 
 
-The following workflows and [tutorials](/tutorials/security-tests) are available. Harness recommends you do them in this order. 
+The following workflows and [tutorials](/tutorials/security-tests) are available. 
 
-  1. [Set up Harness for STO](/docs/security-testing-orchestration/get-started/onboarding-guide) This is a good primer if you're new to Harness. It guides you through the process of setting up your connectors, delegate, and build infrastructure. Then it guides you through the process of setting up a simple standalone STO pipeline. 
+- Getting started:
+
+  - [Set up Harness for STO](/docs/security-testing-orchestration/get-started/onboarding-guide) This is a good primer if you're new to Harness. It guides you through the process of setting up the connectors, delegate, and infrastructure needed to run STO scans. 
 
-  2. [Your first STO pipeline](/tutorials/security-tests/your-first-sto-pipeline) This tutorial covers the basic concepts of STO. You'll set up a standalone pipeline with one scanner, run scans, analyze the results, and learn how to investigate and fix detected vulnerabilities.
+  - [Your first STO pipeline](/tutorials/security-tests/your-first-sto-pipeline) This tutorial covers the basic concepts of STO. You'll set up a standalone pipeline with one scanner, run scans, analyze the results, and learn how to investigate and fix detected vulnerabilities.
+
+- Quickstarts:
+
+  - [SAST code scans using Semgrep](/tutorials/security-tests/sast-scan-semgrep) This "quick-start" tutorial shows you how to scan your codebases using [Semgrep](https://semgrep.dev), which can scan a [wide variety of languages](https://semgrep.dev/docs/supported-languages/) and includes a [free version](https://semgrep.dev/pricing/).
+
+  - [Container image scans with Aqua Trivy](/tutorials/security-tests/container-scan-aqua-trivy) This "quick-start" tutorial shows you how to scan your container images using [Aqua Trivy](https://www.aquasec.com/products/trivy/), a popular open-source scanning tool.  
+
+  - [Trigger automated scans using GitLab merge requests](/tutorials/security-tests/gitlab-ci-integration) This tutorial shows how you can set up a STO pipeline that runs a build and scans a code repository automatically in response to a Git event.
+
+- Integrated end-to-end workflows:
 
-  3. [SAST code scans using Semgrep](/tutorials/security-tests/sast-scan-semgrep) This "quick-start" tutorial shows you how to scan your codebases using [Semgrep](https://semgrep.dev), which can scan a [wide variety of languages](https://semgrep.dev/docs/supported-languages/) and includes a [free version](https://semgrep.dev/pricing/).
+  - [Create a build-scan-push pipeline (STO only)](/tutorials/security-tests/build-scan-push-sto-only) Set up an end-to-end STO pipeline that scans your codebase. Then it builds an image and scans it. If the image scan detects no critical issues, the pipeline pushes the image to your registry.
 
-  4. [Container image scans with Aqua Trivy](/tutorials/security-tests/container-scan-aqua-trivy) This "quick-start" tutorial shows you how to scan your container images using [Aqua Trivy](https://www.aquasec.com/products/trivy/), a popular open-source scanning tool.  
+  - [Create a build-scan-push pipeline (STO and CI)](/tutorials/security-tests/build-scan-push-sto-ci) Set up an end-to-end STO/CI pipeline that scans your codebase, builds/pushes a test image, and then scans it. If there are no critical issues, the pipeline builds/pushes a prod image.
 
-  5. [Trigger automated scans using GitLab merge requests](/tutorials/security-tests/gitlab-ci-integration) This tutorial shows how you can set up a STO pipeline that runs a build and scans a code repository automatically in response to a Git event.
+
@@ -109,7 +109,7 @@ export const STOList: CardItem[] = [
     module: MODULES.sto,
     icon: "img/icon_sto.svg",
     description: (
-      <>Set up an end-to-end STO/CI pipeline that scans your codebase, builds/pushes a test image, and then scans it. If there are no critical issues, the pipeline builds a prod image and pushes it to your registry. </>
+      <>Set up an end-to-end STO/CI pipeline that scans your codebase, builds/pushes a test image, and then scans it. If there are no critical issues, the pipeline builds/pushes a prod image. </>
     ),
     newDoc: true,
     type: [docType.Documentation],

@@ -106,7 +106,23 @@ Do the following:
 
 6. In the Pipeline Editor, go to **Infrastructure** and select **Cloud**, **Linux**, and **AMD64** for the infrastructure, OS, and architecture.  
 
-   You can also use a [Kubernetes](/docs/category/set-up-kubernetes-cluster-build-infrastructures) or [Docker](/docs/continuous-integration/use-ci/set-up-build-infrastructure/define-a-docker-build-infrastructure) infrastructure, but these require additional work to set up.   
+   You can also use a Kubernetes or Docker build infrastructure, but these require additional work to set up. For more information, go to [Set up a build infrastructure for STO](/docs/security-testing-orchestration/get-started/onboarding-guide#set-up-a-build-infrastructure-for-sto).
+
+:::note
+
+The following step is required for Kubernetes or Docker infrastructures only. If you're using Harness Cloud, go to [Scan the code](#scan-the-code).
+
+:::
+
+
+### Add a Docker-in-Docker background step
+
+```mdx-code-block
+import StoDinDRequirements from '/docs/security-testing-orchestration/sto-techref-category/shared/dind-bg-step.md';
+```
+
+<StoDinDRequirements />
+
 
 ## Scan the code
 

@@ -102,7 +102,22 @@ Do the following:
 
 6. In the Pipeline Editor, go to **Infrastructure** and select **Cloud**, **Linux**, and **AMD64** for the infrastructure, OS, and architecture.  
 
-   You can also use a [Kubernetes](/docs/category/set-up-kubernetes-cluster-build-infrastructures) or [Docker](/docs/continuous-integration/use-ci/set-up-build-infrastructure/define-a-docker-build-infrastructure) infrastructure, but these require additional work to set up.   
+   You can also use a Kubernetes or Docker build infrastructure, but these require additional work to set up. For more information, go to [Set up a build infrastructure for STO](/docs/security-testing-orchestration/get-started/onboarding-guide#set-up-a-build-infrastructure-for-sto).
+
+:::note
+
+The following step is required for Kubernetes or Docker infrastructures only. If you're using Harness Cloud, go to [Add the codebase scan step](#add-the-codebase-scan-step).
+
+:::
+
+### Add a Docker-in-Docker background step
+
+```mdx-code-block
+import StoDinDRequirements from '/docs/security-testing-orchestration/sto-techref-category/shared/dind-bg-step.md';
+```
+
+<StoDinDRequirements />
+
 
 ## Add the codebase scan step
 

@@ -47,24 +47,16 @@ Do the following:
 
 3. In the Pipeline Editor, go to **Infrastructure** and select **Cloud**, **Linux**, and **AMD64** for the infrastructure, OS, and architecture.  
 
-   You can also use a [Kubernetes](/docs/category/set-up-kubernetes-cluster-build-infrastructures) or [Docker](/docs/continuous-integration/use-ci/set-up-build-infrastructure/define-a-docker-build-infrastructure) infrastructure, but these require additional work to set up.   
+   You can also use a Kubernetes or Docker build infrastructure, but these require additional work to set up. For more information, go to [Set up a build infrastructure for STO](/docs/security-testing-orchestration/get-started/onboarding-guide#set-up-a-build-infrastructure-for-sto).
 
-<!-- 
-4. Set up your codebase:
+:::note
 
-   1. Select **Codebase** (right menu).
-
-   2. Select your codebase connector.
-
-   3. Select **Runtime Input** as the value type for the repository name. You will specify the repo when you run the pipeline. 
-
-      ![](./static/sast-semgrep-tutorial/codebase-repo-type-input.png)  
-
--->
+The following step is required only for Kubernetes or Docker infrastructures. If you're using Harness Cloud, go to [Add the Aqua-Trivy scan step](#add-the-aqua-trivy-scan-step).
 
+:::
 
-### Add the Docker-in-Docker background step
 
+### Add a Docker-in-Docker background step
 
 ```mdx-code-block
 import StoDinDRequirements from '/docs/security-testing-orchestration/sto-techref-category/shared/dind-bg-step.md';
@@ -73,6 +65,8 @@ import StoDinDRequirements from '/docs/security-testing-orchestration/sto-techre
 <StoDinDRequirements />
 
 
+
+
 ### Add the Aqua-Trivy scan step
 
 ```mdx-code-block

@@ -92,7 +92,8 @@ Do the following:
 
 3. Go to **Infrastructure** and select **Cloud**, **Linux**, and **AMD64** for the infrastructure, OS, and architecture.  
 
-   You can also use a [Kubernetes](/docs/category/set-up-kubernetes-cluster-build-infrastructures) or [Docker](/docs/continuous-integration/use-ci/set-up-build-infrastructure/define-a-docker-build-infrastructure) infrastructure, but these require additional work to set up. 
+   You can also use a Kubernetes or Docker build infrastructure, but these require additional work to set up. For more information, go to [Set up a build infrastructure for STO](/docs/security-testing-orchestration/get-started/onboarding-guide#set-up-a-build-infrastructure-for-sto).
+
 
 ### Add a Bandit scan step