The VCS organization assets inventory provides the identity, provider context, aggregated security health, and repository visibility needed to manage every VCS organization as a governed asset, from discovery through remediation.
Cortex Cloud discovers and inventories every Version Control System (VCS) organization connected through active VCS integrations. Each VCS organization appears in the unified asset inventory as the top-level governance boundary for the software supply chain, carrying its identity metadata, VCS provider, repository count, CI/CD instance associations, aggregated security health, and organizational context.
The VCS organization asset enables security teams to answer three questions about every development organization: what VCS organizations exist across the enterprise, what is the aggregated security posture of each organization, and which repositories and CI/CD instances does each organization contain.
Note
Scope: The VCS organization asset represents a VCS organization discovered through an active VCS integration. It captures the organizational identity, provider type, and aggregated security posture across all child entities. It does not represent individual repositories, CI/CD pipelines, or CI/CD instances, nor does it represent business applications.
The VCS organization asset is the foundational unit of organization-level governance in Cortex Cloud. The VCS organization inventory provides the identity, provider context, aggregated security health, and repository visibility needed to manage every VCS organization as a governed asset, from discovery through remediation.
Organization discovery and identity: Every VCS organization connected through a VCS integration is automatically discovered and registered with a unique identifier, name, provider, and URL
Code to Cloud lineage root: All downstream assets inherit their governance scope (policies, compliance frameworks, business criticality context) from the VCS Organization through the parent-child relationship chain. The Code-to-Cloud graph in the side panel visualizes this lineage starting from the VCS Organization node
Policy propagation and compliance scoping: Organization-level policies propagate to all repositories within the VCS organization, ensuring consistent security standards
The VCS organization asset facilitates a structured delegation between governance and operations:
AppSec managers (Governance): Review the VCS organization inventory to assess the security posture at the organizational level, identify organizations with the highest concentration of Critical and High severity findings, evaluate coverage gaps, and define organization-scoped policies that propagate to all child repositories.
AppSec practitioners (Operations): Navigate from the VCS organization to individual repositories and CI/CD instances to investigate and remediate security findings. Onboard new repositories, configure scanner enablement, and track remediation progress at the organization level.
The VCS organization asset is the root node of the Code-to-Cloud asset hierarchy. The platform models the following relationships between the VCS organization asset and other asset categories:
Relationship direction | Related asset category | Relationship description | Inherited metadata |
|---|---|---|---|
Child | Repository | Repositories contained within the VCS organization. Aggregates security posture across all child repositories | Child repositories inherit organization-level policies and compliance scope. Findings aggregate up to the organization health profile |
Child | CI/CD Instance | CI/CD platform instances associated with the VCS organization (such as GitHub Actions instance for a GitHub organization) | Child CI/CD instances inherit the VCS organization provider type and organizational context |
Sibling | VCS Organization | Other VCS organizations within the same Cortex Cloud tenant operating as independent governance boundaries | Sibling organizations share the tenant but maintain independent policy scopes and health profiles |
VCS organization assets inventory
To view and manage VCS organization assets, you must have at least one Version Control System (GitHub, GitLab, Bitbucket, Azure DevOps) integrated and active. VCS organizations are discovered through active VCS integrations.
To access repository assets, go to Inventory, select → → .
The VCS organization assets page includes a dashboard and an inventory table.
The dashboard includes the Providers widget, which displays connected version control providers (such as GitHub, GitLab, Bitbucket, and Azure DevOps) and the number of organizations found in each provider. Selecting an item in the widget filters the table accordingly.
The following table describes the default exposed properties of the VCS Organization asset table. Select Menu Settings to view additional properties.
Property | Description |
|---|---|
VCS Organization Name | The name of the VCS organization as discovered from the VCS integration. The Organization Name serves as the primary identifier for the VCS organization asset |
VCS Organization Provider | The VCS platform hosting the organization (GitHub, GitLab, Bitbucket, Azure DevOps), displayed with a provider icon |
First Observed | The date and time the asset was initially detected and registered into the unified asset inventory during its first scan |
Observation Time | The date and time the asset was last updated, scanned, or seen by the platform's discovery and scanning mechanisms |
VCS Organization URL | The direct web address to the organization within the Version Control System provider's platform (for example, |
Business Application Names | The name(s) of the business application(s) to which the asset is associated. For a VCS organization, these applications are inherited from the child repositories and CI/CD instances within the organization. This helps map the asset to its business context and criticality |
The VCS Organizations page displays a table of all VCS organizations. Use the search bar to find specific organizations by name, or apply filters to narrow the inventory based on operational and security metadata.
To effectively manage the organization-level security posture, apply the following filter combinations to prioritize remediation efforts:
Scope by VCS provider: Use the Provider filter (or dashboard widget) to isolate the inventory by provider (for example, GitHub or GitLab) to evaluate provider-specific organizational risks and enforce platform-level security standards
Identify access control risks: Filter by Is MFA needed = No to quickly identify VCS organizations that do not have Multi-Factor Authentication enforced, allowing you to prioritize securing access to these foundational organization boundaries.
Right-click on a row in the inventory table to take the following actions:
Open in new tab: Opens the description tab of the asset for detailed analysis of the issue
View asset data: Opens a new pop-up window displaying the data retrieved for the asset during the most recent scan in either JSON (default) or tree view. This raw data provides a comprehensive and unformatted view of the asset's properties and attributes as they were initially ingested
Copy text to clipboard: Copies the selected text to the clipboard
Copy entire row: Copies the entire selected row data
Show/hide rows: Stand on data in a row and filter the entire inventory to show or hide assets based on the selected attribute
Open in Cortex Assistant/Open in Cortex Agentic Assistant: Opens the repository in Cortex Assistant or Cortex Agentic Assistant.
Click the download icon (showing Export to file when hovering over the icon) in the top right of any asset page to export the asset data.
VCS organization details
Select a VCS organization row in the table to open its side panel. This provides a consolidated workspace for investigating organization-level security posture and remediating associated security issues without navigating away from the asset inventory.
From the VCS Organizations table, click the Agentic Assistant icon and select Application Security from the agents menu to query organization-specific insights.
Additionally, you can click Ask AI in the side panel to access the Agentic agent.
Navigate through the following tabs in the side panel to review the organization context and security posture. This helps prioritize remediation efforts based on the aggregated risk profile, repository count, and business criticality:
Overview tab: Displays the severity breakdown of security issues associated with the VCS organization, aggregated from all child repositories and CI/CD instances. It includes the following highlights:
Repository Count: The total number of repositories within the organization, providing scale context for the governance boundary
Coverage Percentage: The ratio of scanned repositories to total repositories, indicating how much of the organization is under active security monitoring
Internet Exposed: Whether the organization contains repositories that ultimately power publicly reachable cloud endpoints, flagging organizations that should be prioritized for security review
Identity tab: Provides a view of users within the VCS Organization, outlining their access levels and the repositories they are collaborators on, along with the timestamp of the latest commit for each repository
You can investigate specific security findings directly from the asset side panel. From the Configurations tab, select specific configuration issues or cases associated with the VCS organization.
Selecting an issue opens a dedicated issue side card directly over the inventory view. The issue side card displays detailed information including the severity level and remediation guidance, enabling you to review and apply remediation guidance without losing your place in the asset inventory.
You can also access the full Issues page (Application Security → Issues) with filters pre-applied for the VCS organization. The full Issues page provides additional capabilities not available in the side panel.
After reviewing the organization's health, you can perform the following operations from the Actions menu in the side panel.
Open in Provider: Click Open in Provider to navigate directly to the VCS platform console (for example, the GitHub organization page or the GitLab group page) at the organization URL
View asset data: Click View asset data to view raw VCS organization asset data in
JSON(default) ortree viewformats to assist with custom integrations, XQL queries, or API operations