Integrate Cortex Cloud Application Security with your AWS CodeCommit version control system (VCS) to enable security scans for exposed secrets, infrastructure-as-code (IaC) misconfigurations, vulnerabilities, package operational risks, and license compliance issues in your repositories. This allows you to analyze, prioritize, and resolve detected issues efficiently.
How the integration works
To ensure security, the platform does not store or use your personal AWS credentials for scanning. Instead, the integration utilizes a cross-account trust relationship through a dedicated IAM Service Role. This relationship is secured using an External ID, a unique security identifier that prevents unauthorized third-party access.
Deployment: You deploy a CloudFormation template provided during onboarding. This template creates the necessary IAM roles and permissions automatically, requiring no manual configuration
The service role: This template creates a specific IAM role for cross-account access that trusts the platform. The trust policy is automatically configured with a unique External ID generated for your tenant. This role follows least privilege principles by requiring only necessary CodeCommit permissions and is limited to the platform AWS account
Auditability: All actions performed by the service role are logged in AWS CloudTrail, providing a permanent audit trail of all repository access and scanning activity for compliance monitoring
Scanning policies: The role includes the required policies for scanning operations and permissions for CodeCommit repository access
Events: The template configures a Simple Notification Service (SNS) topic with an HTTP subscription to the platform webhook URL. The template automatically applies an SNS Access Policy that allows CodeCommit to publish events and authorizes the platform to subscribe to the topic. When code changes occur, this topic pushes a notification to the webhook, triggering the platform to assume the service role and initiate a scan
Danger
Before you begin, ensure the following:
AWS user permissions: To onboard CodeCommit, the user logged into the AWS Console must have permissions to deploy the CloudFormation stack and authorize the creation of the following resources:
cloudformation:CreateStack: Required to deploy the integration templateiam:CreateRole: Required to allow the template to provision the Service Role for scanning operationssns:CreateTopic: Required to allow the template to provision notification triggers. Note: You must ensure your account is prepared to create an SNS topic for each required region if your Cloud account and stack are in different regions, as AWS requires SNS events to reside in the same region as the stackNote
During deployment, you must acknowledge the CAPABILITY_IAM setting in the AWS Console to allow the creation of these resources.
Required scanning and policy permissions
The system requires specific permissions to access repositories and evaluate security conditions:
Scanning permissions: Rights for the Service Role to access and scan CodeCommit repositories.
Policy permissions: Rights to detect findings and handle issues generated from policies based on repository conditions and scan results.
Once the stack is created, the new IAM Service Role will automatically possess permissions to perform scans and handle policy-generated issues. For the complete list of permissions, refer to Technical appendix: IAM Service Role permissions below
Note
The permissions are configured entirely by the CloudFormation template; no manual action is required.
Onboarding steps
Generate the template in the Cortex Cloud tenant.
Search for AWS CodeCommit, hover over and click Add, or Add Another Instance if an instance is already onboarded.
Download and save the CloudFormation template (YAML file) or copy the link for your administrator.
Create a stack on the AWS console.
→ → .
In the Specify template section, select → → → .
→ .
→ → .
Select the repositories to be scanned from the Cortex Cloud tenant.
On the Data Sources & Integrations page, → .
.
Tip
The instance ID is identical to the stack ID on the AWS platform.
Under Selection Options, choose the repositories to be connected to the instance:
Permit all existing repositories
Permit all existing and future repositories
Select Choose from repository list and select repositories from the list
Click .
Verify integration through the tenant or in AWS using either of these options:
In Cortex Cloud: On the Data Sources & Integrations page, filter for AWS CodeCommit, select the AWS CodeCommit data source that is displayed, and verify that the status of your instance (connector) is Connected
In AWS: Open → . Verify that the integration is displayed with a Create Complete status
Validate repository scan and view scan results
After connection, the platform automatically triggers a security scan of the repository. Scanning is supported for Infrastructure as Code (IAC) analysis, Software Composition Analysis (SCA), and Secrets detection.
Navigate to → → .
Filter by → .
Verify that the scan health of your repository is Completed.
Select the repository.
Review a summary of findings detected by the scans and issues generated by policies targeting the repository.
Next step: Navigate to a dedicated issue table (such as Secrets) to understand and remediate the issue.
Troubleshooting
Review the following common issues and resolutions to resolve errors during stack creation, repository connection, or scanning processes.
CloudFormation stack creation fails
Stack status shows CREATE_FAILED or ROLLBACK_COMPLETE
Verify IAM permissions for stack creation
Check for naming conflicts with existing stacks
Review CloudFormation events for specific error messages
Ensure CAPABILITY_IAM is granted
Connection status shows WARNING or ERROR
Instance status not CONNECTED
Verify CloudFormation stack is in CREATE_COMPLETE state
Check IAM role trust relationship
Ensure CodeCommit repository exists and is accessible
Verify cross-account access permissions
No scan results
Repository connected but no findings in tables
Check repository contains scannable files
Verify scan job completed successfully
Review scanner logs for errors
Ensure repository is not empty
Manage data source integrations
Manage integrations to align with evolving requirements and ensure they remain current.
Navigate to → and use the Vendor filter to located the required integration.
Select your vendor from the list.
The integrated instances for the selected vendor are displayed.
Right-click on an instance and select an option:
: Redirects to the Select Repositories step of the integration wizard, where you can modify configurations for the selected instance. For more details, refer to the relevant integration guide
: When confirmed, deletes the instance, including data from previous scans
Copy entire row – Copies all column values for the selected row to the clipboard.
Data protection
Cortex Cloud ensures the security and integrity of your code:
Isolated scanning: Repository contents are scanned within a strictly isolated sandbox environment to prevent cross-contamination
Tenant isolation: All security findings are stored with tenant isolation to ensure your data remains private and inaccessible to others
No Persistence: No repository credentials or sensitive secrets are stored within the platform infrastructure
Temporary access: Access is managed through secure cross-account IAM role assumption which provides temporary permissions without the need for static keys
Technical appendix: IAM Service Role permissions
codecommit:GitPull: Allows users to pull Git repository changes
codecommit:ListBranches: Grants the ability to list branches within a repository
codecommit:GetBranch: Required to get details about a branch in a repository
codecommit:GetPullRequest: Enables fetching details of a specific pull request
codecommit:GetFolder: Required to view the contents of a specified folder in a repository from the CodeCommit console
codecommit:GetFile: Required to view the encoded content of an individual file and its metadata in a repository from the CodeCommit console
codecommit:GetBlob: Allows fetching of an object (such as a file) from a repository
codecommit:GetCommitsFromMergeBase: Grants access to commits from the merge base of a branch
codecommit:GetCommentsForPullRequest: Allows retrieval of comments associated with a pull request
codecommit:PostCommentReply: Required to create a reply to a comment on a comparison between commits or on a pull request
codecommit:UpdateComment: Allows updating of comments on pull requests
codecommit:PostCommentForPullRequest: Required to post a comment on a pull request in a repository
codecommit:GetComment: Permits retrieval of a specific comment on a pull request
codecommit:GetCommit: Allows fetching details of a specific commit
codecommit:GetDifferences: Grants access to differences (changes) between commits, branches, and so on
codecommit:BatchGetRepositories: Enables batch retrieval of repository details
codecommit:GetRepository: Permits fetching details of a specific repository
codecommit:ListRepositories: Grants the ability to list repositories within an account
codecommit:GetRepositoryTriggers: Allows fetching of triggers configured for a repository
codecommit:PutRepositoryTriggers: Enables configuration of repository triggers
codecommit:TestRepositoryTriggers: Allows testing of repository triggers
codecommit:GetTree: Required to view the contents of a specified tree in a repository from the CodeCommit console. This is an IAM policy permission only, not an API action that you can call
codecommit:GetReferences: Permits fetching of references (branches, tags, etc.) in a repository
codecommit:GetObjectIdentifier: Grants access to object identifiers within a repository
codecommit:GetCommitHistory: Allows fetching of commit history for a repository
codecommit:BatchGetPullRequests: Required to return information about one or more pull requests in a repository. This is an IAM policy permission only, not an API action that you can call
codecommit:BatchGetCommits: Enables batch retrieval of commit details
codecommit:GetCommentsForComparedCommit: Required to return information about comments made on the comparison between two commits in a repository
codecommit:PostCommentForComparedCommit: Required to create a comment on the comparison between two commits in a repository
codecommit:PostCommentReply: Enables posting replies to comments on pull requests
codecommit:ListPullRequests: Required to return information about the pull requests for a repository
codecommit:DeleteCommentContent: Required to delete the content of a comment made on a change, file, or commit in a repository. Comments cannot be deleted, but the content of a comment can be removed if the user has this permission
codecommit:CreateBranch: Permits creation of branches within a repository
codecommit:GetBranch: Permits retrieval of branch details
codecommit:CreateCommit: Allows creation of commits in a repository
codecommit:CreatePullRequest: Enables creation of pull requests in a repository
codecommit:PutFile: Required to add a new or modified file to a repository from the CodeCommit console, CodeCommit API, or the AWS CLI
codecommit:ListAssociatedApprovalRuleTemplatesForRepository: Grants access to associated approval rule templates for a repository
codecommit:ListApprovalRuleTemplates: Allows listing of approval rule templates
codecommit:GetApprovalRuleTemplate: Required to return information about an approval rule template in an Amazon Web Services account
codecommit:ListRepositoriesForApprovalRuleTemplate: Permits listing of repositories associated with an approval rule template