Integrate Cortex Cloud Application Security with your CircleCI system to allow dynamic, automated, and context-specific code scans across your codebase. This integration provides continuous scanning of your workflows, triggered by code changes or pipeline events, ensuring security checks are performed and issues are detected as early as possible.
Code scans are executed using the Cortex CLI, and include automated shift-left actions based on scan results.
Note
CircleCI onboarding offers both code and CI/CD scanning. A single integrated instance supports either code or CI scanning, but not both. If you require both code and CI scanning for your CircleCi environment, you must create two separate integrations, selecting the appropriate scanning type for each. To onboard CircleCI for CI/CD scans, refer to CircleCI for CI/CD pipeline scans.
Prerequisite
Before you begin:
Onboarding steps
On the Cortex Cloud console:
→ → .Search for and hover over CircleCI and click Add, or Add Another Instance if an instance is already onboarded.
On the Select Integration step of the CircleCI integration wizard, select → .
On the Add Environment Variables step of the wizard.
Select .
The API key secret and API key ID values are generated and populate their respective fields.
Select your system architecture.
Click .
Create a context in CircleCI and name it cortex-secrets.
Important
The cortex-secrets naming convention for the context is mandatory to ensure functionality and must not be changed.
Store your Cortex Cloud API Key and API ID within the cortex-secrets context.
If you have an API key:
Copy the CORTEX_API_KEY and CORTEX_API_KEY_ID variable names from their respective fields in the wizard.
Add the CORTEX_API_KEY and CORTEX_API_KEY_ID and their corresponding values as separate environment variables (secrets) to the cortex-secrets context.
If you do not have an API key:
→ .
Add the CORTEX_API_KEY and CORTEX_API_KEY_ID and their corresponding values as separate environment variables to the cortex-secrets context.
Note
Do not change the names of the environment variables provided by Cortex Cloud. They are required for proper integration and functionality.
For more information on context in CircleCI, refer to Using contexts in CircleCI.
Copy and paste the pre-populated code from the Configure Job step of the integration wizard into your
.circleci/config.yamlfile, and click .In your
.circleci/config.yamlfile:Verify that the YAML file includes a Docker container image
Verify that the context is
cortex-secretsIn the
docker runcommand, replace--repo-id REPO_OWNER/REPO_NAMEvalues with your repository owner and repository name
Check that the The integration will be created once CircleCI authorizes message is displayed in the final step of the wizard and click .
Verify integration and confirm that the your integrated CircleCI instance has a status of Connected.
On the Data Sources & Integrations page, search for CircleCI in the search bar.
Hover over and select the resulting entry.
Verify that the status of your CircleCI instance is Connected.
Next step: View scan results and mitigate issues.
CircleCI code scan workflow template
This circle workflow example automates code scanning using the Cortex CLI. The workflow contains placeholder values (often in brackets) and generic terms (such as dev) that you must replace with your environment-specific information before use
version: 2.1
executors:
docker-executor:
docker:
- image: cimg/base:stable # Replace with a suitable image or executor
environment:
CORTEX_API_URL: "https://{CORTEX_URL}
CORTEX_CLI_VERSION: "0.8.11"
jobs:
setup-environment:
executor: docker-executor
steps:
- checkout
- setup_remote_docker
- run:
name: Get Temporary Token and Pull Docker Image
command: |
export TOKEN_RESPONSE=$(curl --location "${CORTEX_API_URL}/public_api/cas/v1/cortex-cli/create-token" \
--header "Authorization: ${CORTEX_API_KEY}" \
--header "x-xdr-auth-id: ${CORTEX_API_KEY_ID}" \
--header "Content-Type: application/json" \
--data "{}" -s)
export TEMP_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.token')
docker pull distributions-dev.traps.paloaltonetworks.com/cli-docker/${TEMP_TOKEN}/method:amd64-${CORTEX_CLI_VERSION}-dev
docker tag distributions-dev.traps.paloaltonetworks.com/cli-docker/${TEMP_TOKEN}/method:amd64-${CORTEX_CLI_VERSION}-dev cortexcli:${CORTEX_CLI_VERSION}
- run:
name: Run Cortex CLI Container
# Replace owner/repo with your actual repository information
command: |
docker run --rm cortexcli:${CORTEX_CLI_VERSION} \
--api-base-url ${CORTEX_API_URL} \
--api-key ${CORTEX_API_KEY} \
--api-key-id ${CORTEX_API_KEY_ID} \
code scan \
--directory . \
--repo-id <REPLACE WITH REPO_OWNER/REPO_NAME> \
--branch "${CIRCLE_BRANCH}"
workflows:
version: 2
build:
jobs:
- setup-environment:
context: cortex-secretsManage data source integrations
Manage integrations to align with evolving requirements and ensure they remain current.
Navigate to → and use the Vendor filter to located the required integration.
Select your vendor from the list.
The integrated instances for the selected vendor are displayed.
Right-click on an instance and select an option:
: Redirects to the Select Repositories step of the integration wizard, where you can modify configurations for the selected instance. For more details, refer to the relevant integration guide
: When confirmed, deletes the instance, including data from previous scans
Copy entire row – Copies all column values for the selected row to the clipboard.