Harness
Mobb can be integrated into any CI/CD platform of your choice. This guide will demonstrate how to integrate Mobb into a Harness CI pipeline using an existing SAST report.
Setting Up Secrets in Harness
Go to your Harness project.
Navigate to Project Setup → Secrets.
Create the following secrets:
mobb-api-token
– Mobb API Token. Learn how to generate one here.(Optional)
cx-token
– if you’re using CheckmarxOne for SAST

Creating the Harness Pipeline
In this example, we'll run Checkmarx One as our SAST tool and pass the results to Mobb.
Sample Pipeline YAML
In this sample pipeline, we will run a CheckmarxOne SAST scan to look for vulnerabilities in the checked-out repository. After the scan is complete, the scan result cx_result.json
is passed to Mobb for analysis and to generate a fix report.

pipeline:
name: harness_pipeline
identifier: harness_pipeline
projectIdentifier: default_project
orgIdentifier: default
tags: {}
properties:
ci:
codebase:
connectorRef: antonychiu2
repoName: webgoat
build: <+input>
stages:
- stage:
name: Checkmarx Scan and Fix
identifier: Checkmarx
description: ""
type: CI
spec:
cloneCodebase: true
caching:
enabled: true
override: true
paths: []
platform:
os: Linux
arch: Amd64
runtime:
type: Cloud
spec: {}
execution:
steps:
- step:
type: CheckmarxOne
name: CheckmarxOne_1
identifier: CheckmarxOne_1
spec:
mode: orchestration
config: default
target:
type: repository
detection: auto
advanced:
log:
level: info
fail_on_severity: none
args:
cli: "--output-path ."
auth:
access_token: <+secrets.getValue("org.cx-token")>
type: apiKey
tool:
project_name: Webgoat
- step:
type: Run
name: Mobb Autofixer
identifier: Mobb_Autofixer
spec:
connectorRef: account.harnessImage
image: node:20
shell: Sh
command: |-
echo "Running Mobb with SAST report..."
npx mobbdev@latest analyze \
-f cx_result.json \
-r "$CI_REPO_REMOTE" \
--ref "$CI_COMMIT_BRANCH" \
--api-key <+secrets.getValue("org.mobb-api-token")> \
--ci
when:
stageStatus: All
sharedPaths:
- /shared
buildIntelligence:
enabled: false
Viewing the Mobb Report Link
Once the pipeline runs successfully, the Mobb report link will appear in the Harness Logs section for the "Mobb Autofixer" step.

You can click the link to open the relevant Mobb report, review the proposed fixes, and apply them back to your repository.
Summary
You are now fully configured to integrate Mobb into your Harness CI pipeline. Mobb will automatically read your SAST reports and generate fixes that you can review and commit with confidence.
For a list of supported SAST formats, visit the System Requirements page.
Last updated
Was this helpful?