The CI/CD pipeline inventory provides the identity, provider context, build activity, security health, and deployment traceability needed to manage every pipeline as a governed asset, from discovery through remediation.
Cortex Cloud discovers and inventories every CI/CD pipeline associated with onboarded repositories and connected CI/CD integrations. Each pipeline detected through CI/CD scanning — whether a GitHub Actions workflow, GitLab CI pipeline, Jenkins pipeline, Azure Pipeline, Bitbucket Pipeline, or CircleCI pipeline, appears in the unified asset inventory as the governed bridge between source code and production deploymentsthe governed bridge between source code and production deployments, carrying its identity metadata, CI/CD provider, parent repository, CI/CD instance association, build activity, security health, and downstream deployment lineage.
The CI/CD pipeline asset enables security teams to answer three questions about every build and deploy workflow: what pipelines exist in the organization, what is the security posture of each pipeline configuration, and which production workloads does each pipeline deploy.
Note
Scope: The CI/CD pipeline asset represents a CI/CD pipeline definition associated with an onboarded repository or CI/CD integration. The CI/CD pipeline asset captures the pipeline configuration and build activitypipeline configuration and build activity as discovered through CI/CD scanning. The CI/CD pipeline asset does not represent individual pipeline runs, build logs, or CI/CD scan results; pipeline runs are tracked as scan events, and CI/CD risk findings are managed as issue types under Application Security Issues. The CI/CD pipeline asset does not represent CI/CD instances (e.g., Jenkins servers, GitHub organizations); CI/CD instances are managed as a separate asset category.The repository asset represents a VCS repository onboarded into Cortex Cloud. The repository asset does not represent container image repositories, artifact registries, or cloud resource inventories; those asset categories are managed under the Compute and Cloud asset classes respectively.
The CI/CD pipeline asset is the foundational unit of build and deploy governance in Cortex Cloud Application Security. The CI/CD pipeline inventory provides the identity, provider context, build activity, security health, and deployment traceability needed to manage every pipeline as a governed asset, from discovery through remediation.
Pipeline discovery and identity: Every CI/CD pipeline associated with an onboarded repository or CI/CD integration is automatically discovered and registered in the unified asset inventory with a unique asset identifier, pipeline name, CI/CD provider, CI/CD instance, parent repository, and pipeline definition file path. The CI/CD pipeline asset serves as the persistent identity record for the build and deploy workflow
Build activity tracking: Each CI/CD pipeline asset carries build activity metadata including the last build execution timestamp and job activity status. The build activity profile enables operational monitoring, identifying active pipelines deploying to production versus dormant pipelines with no recent build activity
Code to cloud deployment lineage: The CI/CD pipeline asset is the critical bridge node in the Code to cloud graph, linking the repository (code origin) to deployed runtime assets (container images, VM images, cloud resources). The lineage transforms the pipeline from an isolated workflow definition into a governed deployment component with production impact visibility
Coverage measurement: The Command Center tracks the scanning coverage status of your CI/CD pipelines (e.g., Fully covered, Partially covered, or Uncovered). This coverage visibility enables AppSec Managers to identify blind spots in their CI/CD integrations and ensure that pipelines deploying critical workloads are actively monitored for configuration risks
CI/CD risk detection: The CI/CD pipeline asset carries a security health profile aggregating CI/CD configuration risk findings from the CI/CD scanner into a severity breakdown — the count of Critical, High, Medium, and Low issues. CI/CD risk findings map to the OWASP CI/CD Top 10 framework, covering categories such as insufficient flow control, inadequate identity and access management, dependency chain abuse, poisoned pipeline execution, and insufficient credential hygiene
The CI/CD pipeline asset model facilitates a structured delegation between governance and operations:
AppSec managers (Governance): Review the CI/CD pipeline inventory to identify pipelines with systemic configuration risks mapped to the OWASP CI/CD Top 10, assess provider-level coverage gaps, and evaluate the ratio of pipelines deploying to production. Define unified policies using the CI/CD Configuration Scan policy type to enforce pipeline security standards across all onboarded CI/CD integrations. Prioritize remediation based on deployment status, internet exposure, business criticality, and the concentration of Critical and High severity CI/CD risk findings per pipeline
AppSec practitioners (Operations): Investigate CI/CD pipeline configuration risks and apply remediation guidance directly in the pipeline definition file. Trace pipelines to deployed container images and cloud resources through the Code-to-Cloud graph to assess blast radius. Monitor build log scanning results for leaked secrets. Track remediation progress through resolution statuses and SLA compliance
Cortex Cloud models the following relationships between the CI/CD pipeline asset and other asset categories to provide full supply chain visibility in the Code-to-Cloud relationship graph. The CI/CD pipeline connects the repository (where code is stored) to deployed runtime assets (where code runs in production).
Related asset category | Inherited metadata and description |
|---|---|
Repository (Parent) | The repository containing the CI/CD pipeline definition file. The repository asset is the code origin of the pipeline in the Code to cloud graph. The CI/CD pipeline inherits the repository Applications association, Business Criticality, and tags |
CI/CD instance (Parent) | The CI/CD platform instance that hosts and executes the pipeline (such as Jenkins server, GitHub Actions organization). The CI/CD Instance asset aggregates security posture across all pipelines within the instance. The CI/CD pipeline inherits the CI/CD Instance provider type and organizational context |
CI/CD pipeline (Sibling) | Other CI/CD pipelines defined in the same parent repository or hosted on the same CI/CD instance. Sibling pipelines share the same repository Applications association and tags |
Container image (Downstream) | Container images built by the CI/CD pipeline. The Code-to-Cloud graph traces the build lineage from the pipeline to the container image in the registry. The container image inherits the pipeline build context for deployment lineage tracking |
VM image (Downstream) | VM images built by the CI/CD pipeline through tools such as Packer, Azure Image Builder and GCP VM Image Builds. The VM image inherits the pipeline build context for deployment lineage tracking |
Cloud resource (Downstream) | Cloud resources deployed by the CI/CD pipeline. The Code-to-Cloud graph traces the deployment lineage from the pipeline to the runtime cloud resource. The cloud resource inherits the pipeline deployment context |
Repository assets inventory
To view and manage CI/CD pipeline assets, you must have:
At least one Version Control System (GitHub, GitLab, Bitbucket, Azure DevOps) integrated and active and at least one repository onboarded through the VCS integration and visible in the asset inventory.
At least one CI/CD integration active (GitHub Actions, GitLab CI, Jenkins, Azure Pipelines, Bitbucket Pipelines, CircleCI, Argo CD, AWS CodeBuild). CI/CD pipelines are discovered through active CI/CD integrations.
At least one completed periodic scan that includes CI/CD configuration scanning results
To access repository assets, go to Inventory, select → → .
The CI/CD pipelines assets page includes a dashboard and an inventory table.
The dashboard includes a widget displaying the connected CI pipeline providers (such as GitHub Actions, GitLab CI, and Jenkins) and the number of pipelines found in each provider. Selecting an item in the widget filters the table accordingly.
The following table describes the default exposed properties of the CI/CD pipeline asset table. Select Menu Settings to view additional hidden properties (such as Last Job Execution Time and File Contributors).
Property | Description |
|---|---|
Name | The name of the CI/CD pipeline as discovered from the CI/CD integration. The Pipeline Name serves as the primary identifier for the CI/CD pipeline asset |
Provider | The CI/CD platform hosting the pipeline (for example, GitHub Actions, GitLab CI, Jenkins, Azure Pipelines, Bitbucket Pipelines, CircleCI, Argo CD, AWS CodeBuild) |
CI Instance | The CI/CD platform instance that executes the pipeline (for example, the Jenkins server name, the GitHub organization, the GitLab group) |
Repository | The parent repository containing the CI/CD pipeline definition file |
Provider | The VCS provider hosting the parent repository (GitHub, GitLab, Bitbucket, Azure DevOps) |
CI File Path | The path to the pipeline definition file within the repository (for example, . |
Business Application Names | The business applications associated with the CI/CD pipeline, inherited from the parent repository, including business criticality ratings |
The CI/CD Pipelines page displays a table of all CI/CD pipeline assets discovered through active CI/CD integrations. Apply filters to narrow results based on operational and security metadata.
To effectively reduce the organization CI/CD risk surface, apply the following filter combinations to prioritize remediation efforts:
Prioritize active deployment workflows: Filter by Last Job Execution column (most recent first) to surface pipelines that are actively running. This ensures you are prioritizing remediation efforts on live, active workflows rather than dormant codebases
Scope by CI/CD provider: Use the CI/CD Provider filter (or dashboard widget) to isolate the inventory by provider (for example, GitHub Actions or Jenkins) to evaluate provider-specific misconfigurations and enforce platform-level security standards
Right-click on a row in the inventory table to take the following actions:
Open in new tab: Opens the description tab of the asset for detailed analysis of the issue
View asset data: Opens a new pop-up window displaying the data retrieved for the asset during the most recent scan in either JSON (default) or tree view. This raw data provides a comprehensive and unformatted view of the asset's properties and attributes as they were initially ingested
Copy text to clipboard: Copies the selected text to the clipboard
Copy entire row: Copies the entire selected row data
Show/hide rows: Stand on data in a row and filter the entire inventory to show or hide assets based on the selected attribute
Open in Cortex Assistant/Open in Cortex Agentic Assistant: Opens the repository in Cortex Assistant or Cortex Agentic Assistant.
CI/CD pipeline assets details
Select a CI/CD pipeline row in the table to open its side panel. This provides a consolidated workspace for investigating pipeline definitions and security posture without navigating away from the asset inventory. The health profile represents the current security state of the pipeline configuration.
From the table, → → from the agents menu. You can then query pipeline-specific insights.
You can also access the agent in the side panel by clicking the Ask AI icon.
Navigate through the following tabs in the side panel to review the pipeline context and lineage. This helps prioritize remediation efforts based on application criticality and assess the potential production impact of misconfigurations:
Overview tab: Displays key pipeline properties, including highlights allowing you to prioritize pipelines including Deployed to runtime, indicating it actively deploys workloads to production, Internet Exposed, indicating the deployed workloads produced by the pipeline are publicly reachable from the internet, Public, indicating the pipeline or its parent repository has public visibility, and Deprecated, indicating the pipeline or associated components are deprecated. In addition, highlights the severity breakdown of CI/CD configuration risk issues associated with the pipeline
Deployed to runtime, indicating it actively deploys workloads to production
Internet Exposed, indicating the deployed workloads produced by the pipeline are publicly reachable from the internet
Public, indicating the pipeline or its parent repository has public visibility
Deprecated, indicating the pipeline or associated components are deprecated
Issue severity, the severity breakdown of CI/CD configuration risk issues associated with the pipeline
Applications tab: Lists the business applications associated with the CI/CD pipeline (inherited from the parent repository), including business criticality ratings and risk scores
Instances tab: Displays the CI/CD instances associated with the pipeline. Select an instance to view its details without navigating away
Code to Cloud tab: Displays the Code to cloud relationship graph, visualizing the lineage from the CI/CD pipeline through the parent repository to deployed container images, VM images, and cloud resources
Note
This requires active CI/CD integrations and successful build log analysis. Pipelines without successful build log analysis display only the repository and pipeline nodes
You can investigate specific security findings directly from the asset side panel. From the Overview tab, you can select specific issues or cases associated with the pipeline.
Selecting an issue opens a dedicated issue side card directly over the inventory view. This allows you to review detailed information, including the detection rule, severity level, OWASP CI/CD Top 10 category mapping, and evidence, and apply remediation guidance without losing your place in the asset inventory.
Note
Navigate to the dedicated → → page to manage the remediation lifecycle at scale through bulk status updates, team assignments, and SLA tracking for compliance monitoring.
After reviewing the pipeline health, you can click View asset data to view raw pipeline data in JSON (default) or tree view formats to assist with custom integrations, XQL queries, or API operations. View asset data is available from either the side panel Actions menu or by right-clicking the resource in the main table.
Limitation | Description |
|---|---|
CI/CD integration required | CI/CD pipeline assets are only created through active CI/CD integrations. Repositories without connected CI/CD integrations do not generate CI/CD pipeline assets |
Provider support scope | CI/CD pipeline discovery is limited to supported providers: GitHub Actions, GitLab CI, Jenkins, Azure Pipelines, Bitbucket Pipelines, CircleCI, Argo CD, AWS CodeBuild, TeamCity, and Travis CI |
Code to cloud mapping dependency | The code to cloud graph requires successful build log analysis to trace the full lineage from the pipeline to deployed runtime assets |
Build activity data freshness | Build activity metadata (Last job execution, Job Activity) is updated during periodic scans and CI/CD integration synchronization |
Build log secret scanning scope | Build log scanning detects secrets printed during pipeline execution. Not all CI/CD providers support build log ingestion |
CI/CD configuration scan policy restrictions | The CI/CD configuration scan policy type supports only the periodic scan trigger |