VCS and CI/CD pipeline risk findings - Administrator Guide - Cortex Cloud Posture Management - Cortex CLOUD

Cortex Cloud Posture Management Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Posture Management
Creation date
2025-01-22
Last date published
2026-06-10
Category
Administrator Guide

VCS and CI/CD pipeline scans produce findings, which are potential security risks in your VCS repositories and CI/CD pipeline configurations. These insights help assess and analyze the security posture of your VCS's and CI/CD pipelines.

The CI/CD risks Findings table is a filtered instance of the broader Findings table found under Cases & Issues, meaning it exclusively displays findings categorized as CI/CD pipeline risk findings. However, CI/CD pipeline risk Findings only displays findings detected during periodic scans. In contrast, the comprehensive Findings table includes all CI/CD pipeline risk findings regardless of their detection source, such as periodic, pull request (PR), and continuous integration (CI) scans.

The following table describes selected properties of the Findings table.

Property

Description

Name

The name of the finding

Created

When the finding was initially detected

Last Updated

The last detection date of the finding

Provider

The VCS including the CI/cD pipeline

Sub Category

The CI/CD category that the findings belongs to. Values include:

  • 3rd Party Services

  • Artifact Integrity Validation

  • Credential Hygiene

  • Data Protection

  • Dependency Chains

  • Identity & Access Management

  • Input Validation

  • Flow Control Mechanisms

  • Pipeline-Based Access Controls (PBAC)

  • Poisoned Pipeline Execution (PPE)

  • System Configuration

Detection Method

The engine used to detect VCS and CI/CD findings. Default value: CI/CD Risk Scanner

Finding ID

The unique identifier assigned to the finding

Expanded Findings details

Click on a finding in the inventory table to open the Findings side card, which provides additional details about the finding.

  • Finding summary: Found at the top of the card. Includes the finding name, ID and type (Configuration for CI/CD risk findings)

  • Description: A description of the finding including its location

  • Timestamp: When the finding was last updated

  • Asset details: Includes Asset (The impacted asset. Clicking on the asset opens the asset side card without needing to navigate away to the asset section) and Asset Type (The specific asset type in which the CI/CD risk was identified)

  • Evidence: Provides evidence and contextual details within your SDLC containing the CI/CD risk finding:

    • Finding source

      • Data Source: The system or integration from which the finding data was originally pulled (such as GitHub or a CI/CD pipeline). Click the icon next to the data source to navigate to the data source itself

      • Run ID: The unique identifier of the specific scan execution during which this finding was detected

      • Collaborator: The individual or team responsible for contributing to the code or configuration where the finding was identified

    • Code context

      • Repository: The name of the version control repository where the finding was located

      • Branch: The specific branch within the repository containing the finding

      • File Path: The exact location of the finding within the repository file structure

      • First Hash: The commit hash of the first commit where this specific finding was introduced or detected

    • Scan metadata

      • Run ID: The unique identifier of the specific scan execution during which this finding was detected

  • Code: The file and code including the CI/CD risk in which the finding was detected