Currently, Cortex Cloud Application Security supports automated Software Composition Analysis (SCA) data ingestion from Semgrep and Snyk. This integration enables automated ingestion of third-party scan results into Cortex Cloud, where they appear alongside findings from native Cortex scanners.
Key benefits
Centralizing findings: Third-party SCA findings are normalized into the same data model as native Cortex vulnerability findings, enabling unified triage, policy enforcement, and reporting
Risk-based prioritization: Ingested SCA findings inherit the Cortex Cloud risk prioritization framework. Each finding is enriched with CVSS scores, EPSS scores, risk factor labels, and contextual prioritization tags, enabling practitioners to focus on the most exploitable and business-critical vulnerabilities first
Extending Coverage visibility: The AppSec Coverage page displays dedicated columns that indicate which repositories have third-party scanning enabled (for example, identifying repositories actively scanned by Semgrep or Snyk)
Enabling policy enforcement: Ingested SCA findings are evaluated against Application Security policies, enabling block actions on PRs and CI pipelines based on vulnerabilities detected by your external tools
View and manage SCA issues generated from ingested findings
Issues generated from third-party findings are displayed directly within the main Vulnerabilities issues table. To view and manage these vulnerabilities to assess risk:
Navigate to → → → .
The table displays all vulnerability issues across all data sources, combining native and third-party results.
To identify the specific third-party origin of an issue or finding, use one of the following methods:
Identify origin in the issue side panel: Open any vulnerability issue by selecting the row. In the issue side panel, locate the Scanner field in the impact fields section, which identifies the originating scanner (such as Semgrep or Snyk)
Identify origin from the Findings tab: Switch to the Findings tab (using the control at the top of the Vulnerabilities page). Filter the Data Source column by your vendor (such as SEMGREP or SNYK) to isolate findings originating from that tool
Filter the Semgrep / Snyk column (using the values
is_scanned_by_semgreporis_scanned_by_snyk) by ENABLED to identify repositories with active Semgrep/Snyk scanning. Select a repository to drill down into its associated issues
SCA Ingestion FAQs
Do third-party integrations generate SBOM reports?
No. Third-party integrations (such as Snyk or Semgrep) create vulnerability findings, but they do not generate formal SBOM documents (CycloneDX/SPDX). Formal SBOM reports are only generated by the native Cortex Cloud SCA scanner during periodic repository scans