Package operational risk issues are one of several issue types within the Cortex Cloud Application Security platform. Understanding the relationship between operational risk issues and the broader ecosystem enables effective cross-domain prioritization.
Issue types in Application Security
Issue Type | Scanner | Description |
|---|---|---|
Vulnerabilities | CAS_CVE_SCANNER | CVEs detected in open-source dependencies (SCA). |
IaC Misconfigurations | CAS_IAC_SCANNER | Security misconfigurations in Terraform, CloudFormation, Kubernetes, and Helm templates. |
Secrets | CAS_SECRET_SCANNER | Hardcoded credentials, API keys, and tokens detected in source code. |
Code Weaknesses | CAS_SAST_SCANNER | SAST findings including injection flaws, authentication issues, and insecure patterns. |
License Issues | CAS_LICENSE_SCANNER | Non-compliant open-source license usage. |
Package Operational Risk | CAS_OPERATIONAL_RISK_SCANNER | Deprecated, unmaintained, or unpopular packages with elevated supply chain risk. |
CI/CD Risks | CAS_CI_CD_RISK_SCANNER | Security risks in CI/CD pipeline configurations. |
Malware | CAS_MALWARE_SCANNER | Malicious code detected in dependencies or source code. |
Relationship between operational risk and CVE vulnerabilities
Package operational risk and CVE vulnerability issues are complementary assessments of the same open-source dependency:
CVE vulnerability issues identify known security vulnerabilities in a specific package version. CVE issues are reactive, they respond to disclosed vulnerabilities
Package operational risk issues assess the health and sustainability of the package itself. Operational risk issues are proactive, they identify packages that are likely to accumulate unpatched vulnerabilities due to low maintenance activity
The package operational risk level (High, Medium, Low) is used as a contextual signal in the urgency calculation of CVE vulnerability issues. A CVE vulnerability in a package with high operational risk receives elevated urgency because the package is less likely to receive a timely security patch from the upstream maintainer.
From findings to issues to Cases
The Cortex Cloud Application Security platform processes security data through a three-tier hierarchy:
Findings: Raw scanner output. The operational risk scanner produces findings for every package with an elevated operational risk score in every scanned dependency manifest. Findings are available on the Findings tab of the Package Operational Risk page
Issues: Deduplicated, policy-evaluated findings. When a finding matches a unified policy, Cortex Cloud creates an issue with the configured severity and enforcement actions. Issues are the primary unit of work for AppSec practitioners
Cases: Grouped issues that require coordinated remediation. Cases aggregate related issues across scanners and repositories into a single remediation workflow with ownership, SLA tracking, and audit trails
Unified policies and operational risk
Unified Application Security Policies govern how operational risk findings are evaluated and what actions are triggered. A unified policy can:
Create an issue with a specific severity when an operational risk finding matches the policy conditions
Block a PR when an operationally risky package is detected during a PR scan
Block a CI pipeline when an operationally risky package is detected during a CI code scan
Generate a CLI report with the operational risk details for developer review
Configure unified policies for operational risk at → → .