Code Security identifies and mitigates vulnerabilities, secrets, and IaC misconfigurations, shifting security left to protect data and maintain trust.
Code Security provides automated, native scanning tools that enable a shift-left approach, identifying and remediating security issues early in the software development life-cycle (SDLC) before issues reach production.
Note
Code Security covers detection and analysis engines. For governance and orchestration layer, see Application Security Posture Management (ASPM).
Core achievements and key features
Value drivers
Detect vulnerabilities before deployment: Identify CVEs, hardcoded secrets, IaC misconfigurations, license violations, and supply chain risks across all onboarded repositories before code reaches production
Developer efficiency: Surface immediate, actionable feedback with fix guidance directly in IDEs and PR comments, reducing time from detection to remediation
Visibility and traceability: Inventory software packages, IaC resources, and dependency chains with code to cloud mapping to accelerate root-cause analysis
Streamlined operations: Centralize periodic, PR, and CI scan management with coverage tracking and drill-down insights across all scanner types
Key features
Unified scanner portfolio: SCA (CVE, license, package risk), secrets, IaC misconfigurations, and IaC drift scanning across all onboarded repositories from a single platform
Shift-left integrations: Supports major VCS (GitHub, GitLab, Bitbucket), CI tools (Jenkins, GitHub Actions), Cortex CLI, and IDE plugins (JetBrains, VS Code)
Consistent detection rules: The same detection rules execute across IDE, CLI, PR, CI, and periodic scans, ensuring findings are evaluated against identical standards at every SDLC stage
Inline remediation guidance: Each finding includes actionable fix guidance, fix versions for CVEs, code snippets for IaC misconfigurations, and rotation instructions for secret
Secure infrastructure: Transporter for secure communication between SDLC environments and Cortex Cloud
Primary outputs
Asset visibility: Discovering and inventorying IaC resources and software packages with code to cloud mapping. Refer to Code Security assets for more information on Code Security assets
Security issues: Scanners evaluate findings against rules and policies to generate actionable issues
Scanners
Scanner | Detection target | Issue category |
|---|---|---|
Secrets | Detects hardcoded credentials, API keys, tokens, and other sensitive data in source code. Attacker context: a valid credential committed to a repository can be discovered by automated scanning bots within minutes (MITRE T1552.001). Refer to Secrets scans for more information | Secrets |
SCA CVE vulnerabilities | Identifies known CVEs in open-source dependencies. Attacker context: unpatched dependencies in internet-exposed services are known entry points (MITRE T1190). Refer to Software Composition Analysis (SCA) vulnerability issues for more | Vulnerabilities |
SCA License compliance | Identifies packages with non-compliant licenses that expose the organization to legal risk, derivative work disclosure obligations, or commercial use restrictions. Refer to License miscompliance issues for more information | License Compliance |
SCA Package operational risk | Assesses open-source packages for maintainability, community health, versioning hygiene, and dependency depth. Identifies packages that are deprecated, unmaintained, or have low community adoption. Refer to Package operational risk scanner for more information | Package Integrity |
IaC misconfigurations | Detects security misconfigurations in IaC templates (Terraform, CloudFormation, Kubernetes, ARM, Bicep) before deployment. Attacker context: a misconfigured security group or overly permissive IAM policy creates the attack surface that enables lateral movement. Refer to Infrastructure as Code (IaC) misconfiguration scanner for more information | Configurations |
IaC drift | Detects configuration drift between the IaC definition in the repository and the actual deployed cloud resource. Drift indicates that manual changes have been made outside the IaC pipeline, potentially introducing untracked security misconfigurations. Refer to IaC Drift Detection scans for more information | Configurations |
NOTES:
SAST Native scans are currently unavailable. SAST data is supported though ingestion from third party vendors. Refer to Manage code weakness issues for more information
Ingested SCA CVE data is also supported. Refer to Ingest third-party data sources for more information
For CI/CD risk scans, refer to CI/CD Risks
Workflows
Code Security issues are surfaced through four workflows. Each serves a different SDLC stage and persona.
Workflow | What it does | Scanners |
|---|---|---|
IDE | The Cortex Cloud IDE Extensions (VS Code, JetBrains) run security scans locally in the developer's editor. Developers receive inline findings with severity, remediation guidance, and fix suggestions at code-time — before code is committed. The IDE workflow is the leftmost enforcement point. Findings remediated in the IDE never enter the version control system. Refer to IDE for more information | IaC, Secrets, SCA |
CLI | The Cortex CLI (`cortexcli`) executes security scans from CI/CD pipelines, developer workstations, and automation scripts. The CLI evaluates findings against Unified Application Security Policies and can block CI pipelines when policy violations are detected. Refer to the Application Security CLI documentation for more information | IaC, Secrets, SCA |
Tenant (UI) | The Cortex Cloud console provides centralized visibility into scan results, issues, and security posture. The console surfaces three scan types (periodic, PR, CI) in the scan management view, and displays issues in dedicated tables organized by scanner type (Secrets, SCA, IaC). AppSec Managers use the console for governance review; AppSec Practitioners use the console for issue triage and remediation tracking. Refer to Code Security scanners for more information | All |
API | The Cortex Cloud public REST APIs enable programmatic access to scan operations, issue retrieval, policy management, and SBOM export. The API workflow supports automation of scan triggering, compliance reporting, custom triage pipelines, and integration with ticketing systems (Jira, ServiceNow). Refer to API workflows for Code Security issues for more information | All |
Context - from findings to prioritized issues
Findings become issues
Scanners generate raw findings; which are evaluated against Unified Application Security Policies. Any finding that violates these policies generates an issue if the policy is configured to trigger issues
Issues gain context via code to cloud traceability
To understand the actual risk of an issue, it must be contextualized. Code-to-Cloud traceability maps an asset's lineage (such as a CVE in a repository) through the CI/CD pipeline to the cloud resource where the container image is ultimately deployed.
This traceability operates on two levels:
Asset-level traceability: Maps lineage and path-to-production for all discovered assets, including packages, IaC resources, and repositories
Issue-level traceability: Evaluates the deployment context of the affected asset to answer critical risk questions:
Is the vulnerable code actually deployed?
Is the deployment internet-exposed?
What is the application environment (such as production, staging, development)?
What is the business criticality of the application?
For more information on code to cloud traceability, refer to Code to Cloud.
Issues are prioritized by Urgency
Once an issue has its Code-to-Cloud deployment context, it receives an Urgency classification. You should prioritize issues by Urgency first, as it measures actual, actionable risk rather than theoretical vulnerabilities. Severity should still be considered, but only as a secondary factor.
Urgency supersedes static severity by combining:
Real-world deployment context (from code to cloud traceability)
Active exploit intelligence (such as, EPSS, CISA KEV)
Application business criticality
Scope of Urgency
Applies to: CVE vulnerabilities, secrets, IaC misconfigurations, code weaknesses (SAST), and IaC drift
Does not apply to: License compliance (legal risk) and package operational risk (acts only as a secondary signal for CVE Urgency)
Refer to Urgency for more information.
Roles and permissions
Cortex Cloud provides these predefined roles for Code Security:
Role | Scope |
|---|---|
AppSec Admin | Full permissions: Create and modify detection rules, manage enforcements, triage and investigate findings, issues, and cases from code to cloud, and view all cloud assets |
DevSecOps | Intermediate permissions: Manage and resolve security issues, perform scan management, and integrate security practices across development and operations workflows |
Developer | Read-only permissions: View and analyze scan results, track progress, and collaborate with security teams. Cannot modify detection rules, enforcements, or resolve issues directly |
You can view the granular permissions assigned to each role in the tenant by navigating to → → . For more information on user roles, refer to Manage user roles and access management.