discovers and inventories every CI/CD pipeline associated with onboarded repositories and connected CI/CD integrations. Each pipeline detected through CI/CD scanning — whether a GitHub Actions workflow, GitLab CI pipeline, Jenkins pipeline, Azure Pipeline, Bitbucket Pipeline, or CircleCI pipeline, appears in the unified asset inventory as the governed bridge between source code and production deploymentsthe governed bridge between source code and production deployments, carrying its identity metadata, CI/CD provider, parent repository, CI/CD instance association, build activity, security health, and downstream deployment lineage.
The CI/CD pipeline asset enables security teams to answer three questions about every build and deploy workflow: what pipelines exist in the organization, what is the security posture of each pipeline configuration, and which production workloads does each pipeline deploy.
Scope: The CI/CD pipeline asset represents a CI/CD pipeline definition associated with an onboarded repository or CI/CD integration. The CI/CD pipeline asset captures the pipeline configuration and build activity as discovered through CI/CD scanning. The CI/CD pipeline asset does not represent individual pipeline runs, build logs, or CI/CD scan results; pipeline runs are tracked as scan events, and CI/CD risk findings are managed as issue types under Application Security Issues. The CI/CD pipeline asset does not represent CI/CD instances (e.g., Jenkins servers, GitHub organizations); CI/CD instances are managed as a separate asset category.
What CI/CD pipeline assets deliver
The CI/CD pipeline asset is the foundational unit of build and deploy governance in the Cortex Cloud Application Security posture. The CI/CD pipeline inventory provides the identity, provider context, build activity, security health, and deployment traceability needed to manage every pipeline as a governed asset, from discovery through remediation.
Core achievements
Pipeline discovery and identity: Every CI/CD pipeline associated with an onboarded repository or CI/CD integration is automatically discovered and registered in the unified asset inventory with a unique asset identifier, pipeline name, CI/CD provider, CI/CD instance, parent repository, and pipeline definition file path. The CI/CD pipeline asset serves as the persistent identity record for the build and deploy workflow
Build activity tracking: Each CI/CD pipeline asset carries build activity metadata including the last build execution timestamp and job activity status. The build activity profile enables operational monitoring, identifying active pipelines deploying to production versus dormant pipelines with no recent build activity
Code to cloud deployment lineage: The CI/CD pipeline asset is the critical bridge node in the Code to cloud graph, linking the repository (code origin) to deployed runtime assets (container images, VM images, cloud resources). The lineage transforms the pipeline from an isolated workflow definition into a governed deployment component with production impact visibility
Coverage measurement: The Command Center tracks the scanning coverage status of your CI/CD pipelines (e.g., Fully covered, Partially covered, or Uncovered). This coverage visibility enables AppSec Managers to identify blind spots in their CI/CD integrations and ensure that pipelines deploying critical workloads are actively monitored for configuration risks
CI/CD risk detection: The CI/CD pipeline asset carries a security health profile aggregating CI/CD configuration risk findings from the CI/CD scanner into a severity breakdown — the count of Critical, High, Medium, and Low issues. CI/CD risk findings map to the OWASP CI/CD Top 10 framework, covering categories such as insufficient flow control, inadequate identity and access management, dependency chain abuse, poisoned pipeline execution, and insufficient credential hygiene
Functional responsibilities
The CI/CD pipeline asset model facilitates a structured delegation between governance and operations:
AppSec managers (Governance): Review the CI/CD pipeline inventory to identify pipelines with systemic configuration risks mapped to the OWASP CI/CD Top 10, assess provider-level coverage gaps, and evaluate the ratio of pipelines deploying to production. Define unified policies using the CI/CD Configuration Scan policy type to enforce pipeline security standards across all onboarded CI/CD integrations. Prioritize remediation based on deployment status, internet exposure, business criticality, and the concentration of Critical and High severity CI/CD risk findings per pipeline
AppSec practitioners (Operations): Investigate CI/CD pipeline configuration risks and apply remediation guidance directly in the pipeline definition file. Trace pipelines to deployed container images and cloud resources through the Code-to-Cloud graph to assess blast radius. Monitor build log scanning results for leaked secrets. Track remediation progress through resolution statuses and SLA compliance
Relationship model
The Cortex Cloud platform models the following relationships between the CI/CD pipeline asset and other asset categories to provide full supply chain visibility in the Code-to-Cloud relationship graph. The CI/CD pipeline connects the repository (where code is stored) to deployed runtime assets (where code runs in production).
Related asset category | Inherited metadata and description |
|---|---|
Repository (Parent) | The repository containing the CI/CD pipeline definition file. The repository asset is the code origin of the pipeline in the Code to cloud graph. The CI/CD pipeline inherits the repository Applications association, Business Criticality, and tags |
CI/CD instance (Parent) | The CI/CD platform instance that hosts and executes the pipeline (such as Jenkins server, GitHub Actions organization). The CI/CD Instance asset aggregates security posture across all pipelines within the instance. The CI/CD pipeline inherits the CI/CD Instance provider type and organizational context |
CI/CD pipeline (Sibling) | Other CI/CD pipelines defined in the same parent repository or hosted on the same CI/CD instance. Sibling pipelines share the same repository Applications association and tags |
Container image (Downstream) | Container images built by the CI/CD pipeline. The Code-to-Cloud graph traces the build lineage from the pipeline to the container image in the registry. The container image inherits the pipeline build context for deployment lineage tracking |
VM image (Downstream) | VM images built by the CI/CD pipeline through tools such as Packer, Azure Image Builder and GCP VM Image Builds. The VM image inherits the pipeline build context for deployment lineage tracking |
Cloud resource (Downstream) | Cloud resources deployed by the CI/CD pipeline. The Code-to-Cloud graph traces the deployment lineage from the pipeline to the runtime cloud resource. The cloud resource inherits the pipeline deployment context |