Connect Cortex Cloud Application Security with your version control systems (VCS) to gain comprehensive visibility into the systems, technologies, configurations, and pipelines that make your VCS platform.
These integrations trigger both periodic scans and scans on pull requests (PRs) via a webhook, enabling security scans to identify and remediate Software Composition Analysis (SCA) vulnerabilities, exposed secrets, Infrastructure-as-Code (IaC) misconfigurations, and license compliance issues in your VCS environment. Scan results are displayed directly in PR comments and reports, allowing you to analyze, prioritize and fix issues as soon as they are detected.
By onboarding your VCS systems, you gain complete visibility into your repositories and pipeline assets and out-of-the-box CI/CD system capabilities:
Visibility and asset discovery
Onboarding your VCS provides immediate visibility into your repositories and pipeline assets:
Asset mapping and inventory: All repositories and their associated pipeline assets (such as GitHub Actions) are mapped, creating a complete inventory of your environment. This includes discovering forgotten or unauthorized devices and their connections
Attack surface understanding: It helps you understand and manage your potential attack surface
Vulnerability management: The inventory allows you to identify and prioritize security vulnerabilities since you can't secure what you don't know exists
Compliance and auditing: Establish the necessary data baseline, code history, and logs required to prove compliance during audits
Automated scanning and enforcement
Once your assets are mapped, Cortex uses that inventory to actively monitor your environment for risks:
Periodic and PR scans: The integration triggers both periodic baseline scans and webhook-driven scans on pull requests (PRs)
Vulnerability management: Security scans actively detect exposed secretsSoftware Composition Analysis (SCA) (including CVE vulnerabilities, license miscompliance and package operational risk), , Infrastructure-as-Code (IaC) misconfigurations, and license compliance issues
CI/CD system capabilities: Onboarding a VCS automatically integrates with specific CI/CD systems detected within your repositories, triggering automated scans that identify supply chain security risks within your pipelines. For more information, refer to Onboard CI/CD systems
Supported VCS data sources
Cortex Cloud Application Security currently supports the following VCS data source integrations:
Each integration requires a unique set of permissions and subscribed events.
How to onboard a VCS data source
VCS data sources are listed in the Cortex data source catalog.
Navigate to → → → → .
Tip
Navigate to → → → .
From the search results, select a data source and follow the instructions in its configuration wizard to complete the settings configuration process.
Note
Disclaimer: When onboarding with third-party data sources, we outline the required steps for setup, but we do not monitor these external resources, and they may change over time. Always refer to the relevant third-party documentation for the most current integration steps.
Onboard an additional data source instance
To onboard an additional data source instance:
On the Data Sources & Integrations page, select an integration from the table and click Add Instance.
Complete the onboarding through the configuration wizard.
Verify data source connectivity status and connected repositories
You can verify the connectivity status of data source instances and their connected repositories through one of these methods:
Navigate to → . This page displays all data sources with their connected instances, including connectivity status and additional instance details.
When browsing the Data Source catalog, click a data source to view its details.
Manage VCS instances
You can manage VCS data source instances. Hover over an instance and right-click to access the following actions:
Select → .
Click a data source to see a list of its connected instances.
Hover over an instance and right-click to access the following actions:
Details: View details of the data source instance, including a list of connected repositories and organization, connectivity status, last scan date, and when initially connected.
Edit instance: Opens the Select Repositories step of the integration wizard, allowing you to edit connected repositories. You can also edit the instance configuration by navigating back to the previous step of the wizard and modifying relevant details
Delete instance: Deletes the entire instance
Remove a connected repository: Right-click on a repository in the list, and click Remove Repository
Manage findings and issues
For information about managing findings detected after onboarding data sources, and issues generated from findings refer to Code Security scanners.