Upload findings from CI/CD pipelines - Upload findings via the API from CI/CD pipelines to automate ingestion at the CI stage. - Administrator Guide - Cortex Cloud Posture Management - Cortex CLOUD

Cortex Cloud Posture Management Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Posture Management
Creation date
2025-01-22
Last date published
2026-06-10
Category
Administrator Guide
Abstract

Upload findings via the API from CI/CD pipelines to automate ingestion at the CI stage.

Upload findings via the API from CI/CD pipelines to automate ingestion at the CI stage.

Note

Store all collector credentials (Token ID, API Token, API URL) as encrypted secrets or credentials in the CI/CD platform. Do not hardcode credentials in pipeline configuration files.

The following examples demonstrate common integration patterns.

Important

Verify that the upload request returns a 2xx HTTP status code. A non-2xx response indicates that the upload failed and findings were not ingested. Configure the CI/CD pipeline step to fail on non-2xx responses to prevent silent ingestion failures. In the cURL examples, add the --fail flag or check the exit code to detect upload failures.

GitHub Actions
name: Upload SAST Findings to Cortex Cloud

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  scan-and-upload:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run SAST scanner
        run: |
          # Replace with your SAST tool command
          bandit -r src/ -f sarif -o sarif-results.json

      - name: Upload findings to Cortex Cloud
        env:
          CORTEX_TOKEN_ID: ${{ secrets.CORTEX_COLLECTOR_TOKEN_ID }}
          CORTEX_API_TOKEN: ${{ secrets.CORTEX_COLLECTOR_API_TOKEN }}
          CORTEX_API_URL: ${{ secrets.CORTEX_COLLECTOR_API_URL }}
          CORTEX_REPO_ID: ${{ secrets.CORTEX_REPOSITORY_ID }}
        run: |
          curl -X POST "${CORTEX_API_URL}?repository_id=${CORTEX_REPO_ID}&branch=${GITHUB_REF_NAME}" \
            -H "x-crtx-auth-id: ${CORTEX_TOKEN_ID}" \
            -H "Authorization: ${CORTEX_API_TOKEN}" \
            -H "Content-Type: application/json" \
            -d @sarif-results.json
GitLab CI
upload-sast-findings:
  stage: test
  script:
    # Replace with your SAST tool command
    - bandit -r src/ -f sarif -o sarif-results.json
    - |
      curl -X POST "${CORTEX_API_URL}?repository_id=${CORTEX_REPO_ID}&branch=${CI_COMMIT_REF_NAME}" \
        -H "x-crtx-auth-id: ${CORTEX_TOKEN_ID}" \
        -H "Authorization: ${CORTEX_API_TOKEN}" \
        -H "Content-Type: application/json" \
        -d @sarif-results.json
  variables:
    CORTEX_TOKEN_ID: ${CORTEX_COLLECTOR_TOKEN_ID}
    CORTEX_API_TOKEN: ${CORTEX_COLLECTOR_API_TOKEN}
    CORTEX_API_URL: ${CORTEX_COLLECTOR_API_URL}
    CORTEX_REPO_ID: ${CORTEX_REPOSITORY_ID}
Jenkins (Declarative Pipeline)
pipeline {
    agent any
    environment {
        CORTEX_TOKEN_ID     = credentials('cortex-collector-token-id')
        CORTEX_API_TOKEN    = credentials('cortex-collector-api-token')
        CORTEX_API_URL      = credentials('cortex-collector-api-url')
        CORTEX_REPO_ID      = credentials('cortex-repository-id')
    }
    stages {
        stage('SAST Scan') {
            steps {
                // Replace with your SAST tool command
                sh 'bandit -r src/ -f sarif -o sarif-results.json'
            }
        }
        stage('Upload to Cortex Cloud') {
            steps {
                sh """
                    curl -X POST "${CORTEX_API_URL}?repository_id=${CORTEX_REPO_ID}&branch=${env.BRANCH_NAME}" \
                      -H "x-crtx-auth-id: ${CORTEX_TOKEN_ID}" \
                      -H "Authorization: ${CORTEX_API_TOKEN}" \
                      -H "Content-Type: application/json" \
                      -d @sarif-results.json
                """
            }
        }
    }
}