Repository assets - The repository inventory provides the identity, context, and health telemetry needed to manage every codebase as a governed asset, - Administrator Guide

Repository assets - The repository inventory provides the identity, context, and health telemetry needed to manage every codebase as a governed asset, - Administrator Guide - Cortex CLOUD

Cortex Cloud Posture Management Documentation

Product

Cortex Cloud Application Security > Cortex CLOUD

License

Cloud Posture Management

Creation date

2025-01-22

Last date published

2026-06-04

Note

Scope: The repository asset represents a VCS repository onboarded into Cortex Cloud. The repository asset does not represent container image repositories, artifact registries, or cloud resource inventories; those asset categories are managed under the Compute and Cloud asset classes respectively.

The repository inventory provides the identity, context, and health telemetry needed to manage every codebase as a governed asset,

Core achievements and use cases

Asset discovery and identity: Every repository connected through a VCS integration is automatically discovered and registered in the unified asset inventory with a unique asset identifier, VCS provider, organization, default branch, and onboarding timestamp to serve as the persistent identity record for the codebase
Asset metadata enrichment: The repository asset is continuously enriched with metadata synchronized from the VCS provider.Retrieving repository asset details through the API enables synchronization with external asset management systems, CMDB platforms, and compliance reporting tools
Code to cloud lineage: The repository asset is the origin node in the code to cloud graph, establishing a traceable lineage from source code through software packages, IaC resources, and CI/CD pipelines to deployed container images and cloud resources
Asset health monitoring: The repository asset provides a continuous health profile by aggregating security signals from all scanner types
Coverage measurement: The repository inventory quantifies the ratio of discovered repositories to actively scanned repositories, enabling AppSec managers to identify and close coverage gaps manually or programmatically
Compliance evidence: SBOM export (CycloneDX) at the repository level provides auditable evidence of software composition

Functional responsibilities

The repository asset model facilitates a structured delegation between governance and operations:

AppSec managers (Governance): Review the repository inventory to identify coverage gaps such as repositories without active scanners, repositories not assigned to applications, or repositories with stale scan data, and define scanner configurations to prioritize remediation
AppSec practitioners (Operations): Onboard repositories through VCS integrations, configure scanner enablement per repository, trigger rescans, export SBOMs for compliance evidence, and remediate issues

Relationship model

Related asset category	Inherited metadata and description
VCS organization (Parent)	The VCS organization that contains the repository, propagating organization-level policies and compliance scopes
Software package (Child)	Open-source and third-party packages declared in dependency manifest files within the repository
IaC resource (Child)	Infrastructure-as-Code resources defined within the repository
CI/CD pipeline (Child)	CI/CD pipeline definitions associated with the repository for deployment lineage tracking
Container image (Downstream)	Container images built from the repository through CI/CD pipelines
Cloud resource (Downstream)	Cloud infrastructure provisioned from IaC resources defined in the repository

Repository assets inventory

To view and manage repository assets, you must have at least one Version Control System (GitHub, GitLab, Bitbucket, Azure DevOps) integrated and active and at least one repository onboarded through the VCS integration and visible in the asset inventory.

To access repository assets, go to Inventory, select All Assets → Code → Repositories.

The repositories assets page includes a dashboard and an inventory table.

Repository dashboard

The dashboard includes two widgets.

Providers: Displays connected version control providers (such as GitHub and GitLab) and the number of repositories found in each provider.
Privacy State: Shows the distribution between public and private repositories and the amount of repositories in each category.

Selecting an item in either widget filters the table accordingly.

Repository table

The following table describes the default exposed properties of the repository asset table. Select Menu Settings to view additional properties.

Property	Description
Repository Name	The name of the repository in the version control system (VCS).
Provider	The VCS platform hosting the repository (for example, GitHub, GitLab) CI/CD tools (for example, GitHub Actions, GitLab CI, Jenkins); these refer to associated pipeline assets, not the repository itself
Repository Organization	The organizational structure (such as project, team, platform) that contains and manages the repository
Repository labels	Labels associated with the repository
Business Application Names	The name of the business application to which the repository is associated, indicating it is part of the application assets
First observed	The date the repository was initially detected in a scan
Observation time	The date the repository was last updated
Scanned Branches	The branch of the repository that is scanned (default: `main/master`)
Is repository archived	Whether a repository is no longer actively maintained or developed (boolean)

Filter and prioritize repositories

The Repositories page displays a table of all repositories. Use the search bar to find repositories by name, or apply filters to narrow results based on operational and security metadata.

To effectively reduce the organization risk surface, apply the following filter combinations to prioritize remediation efforts:

Target critical assets: Filter by Business Application Names to isolate repositories tied to essential services and prioritize their vulnerabilities for remediation
Identify public exposure risks: Filter by Repository visibility configuration: Public to identify proprietary repositories inadvertently set to public in the VCS provider
Find active repositories missing scanner coverage: Filter by Is repository archived: No and sort the table by the Last Scan Date column to highlight actively maintained repositories that have never been scanned
Filter out noise from stale code: Filter by Is repository archived: Yes or sort by the oldest Last Commit Date to isolate abandoned or read-only codebases
Scope by business unit or environment: Use the repository tag metadata filter to isolate the inventory for specific engineering teams or deployment environments

Repository technologies

You can add the Repository technologies column to the table through Menu Settings. Each technology appears as a tag containing the technology icon and name (for example, a JavaScript icon followed by javascript), If a repository contains multiple technologies, the column displays a truncated list showing the first three. Hover over the indicator to view the full list. The technology data is derived from the repository file composition and is updated with each repository scan.

You can also filter the repositories table by Repository technologies to look for assets that use a specific technology. The filter supports wildcard filtering and is case-insensitive. You can also view technologies in repository asset cards.Hover over a tag to view a tooltip showing the percentage of the codebase attributed to that technology. Percentages sum to 100%.

Can users manually tag a repository with a custom or proprietary technology?

No. Technology detection is fully automated and cannot be manually overridden or supplemented. The detection engine identifies technologies based on file analysis during repository scans. If a custom or proprietary framework is not detected, it does not appear in the Technologies property.

However, repository Tags (a separate feature from Technologies) can be used to manually label repositories with custom metadata. Repository tags are displayed in the Tags property of the repository side card and can be used for organizational purposes.

What happens when a new language is added to a repository?

The new technology is detected and displayed after the next repository scan. You can trigger an immediate update by selecting Rescan from the repository side card.

Are technology percentages based on lines of code or file count?

Technology percentages represent the proportional share of each technology in the repository codebase. The detection engine uses file-level analysis to calculate the proportions. The percentages across all detected technologies in a repository sum to 100%.

Do technologies affect security scanning or policy evaluation?

Technologies are informational metadata displayed in the Asset Inventory. They do not directly control which scanners run or which policies apply. However, technology information can inform scanner configuration and policy scoping decisions.

If a known technology is not showing up for a repository, consider the following causes and resolutions:

Cause	Resolution
The repository has not been scanned recently	Trigger a manual rescan from the repository side card. Select the repository row, then select Rescan from the side card actions
All scanners are disabled for the repository	Verify that at least one scanner is enabled. If all scanners are disabled, the Rescan action is unavailable
The technology files are on an unscanned branch	Technology detection covers only the branches configured for scanning. Verify the branch is included in the scanning scope
The technology is not in the supported detection set	The engine recognizes a broad set of standard technologies. Proprietary or highly custom frameworks may not be detected automatically

Repository inventory table actions

Right-click on a row in the inventory table to take the following actions:

Open in new tab: Opens the asset description card in a new tab
View asset data: Display asset data. Formats: JSON, Tree View
Copy text to clipboard: Duplicate selected text for easy pasting elsewhere
Copy entire row: Duplicate the entire row of data for easy pasting elsewhere
Show/hide rows with [Asset_Name]: Show/hide rows matching the [asset name] of the selected row

Repository assets details

Select a repository row in the table to open its side panel. This provides a consolidated workspace for investigating repository assets and remediating associated security issues without navigating away from the asset inventory.

Ask the AppSec agentic assistant agent

From the Repositories table, right-click a repository → Open in Agentic Assistant → select Application Security from the agents menu, and query repository-specific insights (for example, scan coverage, risk posture, or gaps).

Asset card tabs

Navigate through the following tabs in the side panel to review the repository context and lineage. This helps prioritize remediation efforts based on application criticality and assess the potential production impact of vulnerabilities:

Overview tab: Displays the severity breakdown of issues, repository properties (such as visibility, technologies, and owners), and current scan information including the scan type, branch name, last scan time, and health status
- Internet Exposed: The code in the repository ultimately powers a publicly reachable cloud endpoint, calculated via the Code-to-Cloud graph
- Deployed to Runtime: The repository code is deployed to production runtime environments through CI/CD pipelines
- Public: The repository has public visibility in the VCS provider
- Deprecated: The repository or its components are marked as deprecated
- Cases: X Critical and High Cases when the repository has associated cases with Critical or High severity
- Issues: Shows X Critical and High Issues when the repository has associated issues with Critical or High severity
For more information about scan management, refer to Application Security scans management.
Applications tab: Displays the business applications associated with the repository including business criticality ratings and risk scores
For more information about applications, refer to Defining Business Applications.
Code to Cloud tab: Displays the relationship graph visualizing the full lineage from the repository asset to deployed cloud workloads
Use the graph to perform the following supply chain investigations:
- Trace build paths: Identify the specific CI/CD pipelines that build artifacts from the repository and verify pipeline status indicators to see if they are actively deploying to production
- Map cloud infrastructure: Determine exactly which runtime cloud resources are provisioned from the IaC definitions stored in the repository
- Assess blast radius: Trace paths down to the terminal deployment nodes, such as container images and cloud instances, to understand which production workloads are affected by a vulnerability originating in the codebase
For more information on Code to Cloud, refer to Code to Cloud.

Investigate and remediate issues by category

The repository side panel organizes issues detected within the repository's underlying assets into dedicated tabs by issue category. Selecting a finding opens the issue side card directly within the repository context, allowing you to investigate and remediate the risk without navigating away.

Tab name	Scanner type	Description
Vulnerabilities	SCA	Known CVE vulnerabilities in open-source packages declared in dependency manifest files within the repository. Refer to Software Composition Analysis (SCA) vulnerability issues for more information
Code Weaknesses	SAST	Security weaknesses in first-party source code detected through static analysis. Refer to Manage code weakness issues for more information
Secrets	Secrets	Hardcoded credentials, API keys, tokens, and other sensitive values detected in source code and configuration files. Refer to Navigate to secrets issues for more information
Package Integrity	SCA	Open-source packages with operational risk indicators (such as deprecated or unpopular packages) or license types that violate organizational compliance policies. Refer to Package integrity issues for more informationPackage integrity issues
IaC Configuration	IaC	Security misconfigurations in Infrastructure-as-Code templates. Refer to refer to Navigate to IaC misconfiguration issues for more information
CI/CD Configuration	CI/CD	Security risks and misconfigurations in CI/CD pipeline definitions associated with the repository. Refer to CI/CD Risks for more information

Execute asset actions

After reviewing the repository's health, you can perform the following operations from the Actions menu in the side panel.

Rescan a repository: Click Rescan to trigger an on-demand scan using the currently configured scanners
Export an SBOM: Click Export SBOM to generate and download a Software Bill of Materials.
- Level: Select Repository to download the SBOM for the selected repository, or Organization to download all SBOM reports for the parent organization as a ZIP archive
- Supported formats
  - CycloneDX v1.4: XML or JSON
  - CycloneDX v1.5: XML or JSON
  - CycloneDX v1.6: XML or JSON
  - SDPX v2.3: JSON or TXT
Open in GitHub: Click Open in GitHub to pivot directly to the native repository environment to investigate source code, review commit history, or initiate remediation through a pull request
View asset data: Click View asset data to view raw repository data in JSON (default) or tree view

Note

For detailed information on investigating and remediating issues, refer to Code Security scanners.