Manage repositories via API - Administrator Guide - Cortex Cloud Posture Management - Cortex CLOUD

Cortex Cloud Runtime Security Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Runtime Security
Creation date
2024-12-24
Last date published
2026-06-10
Category
Administrator Guide

The Cortex Cloud public API for repositories enables programmatic management of the repository asset inventory. It automates workflows that would otherwise require manual interaction with the console, enabling security teams to integrate repository governance into CI/CD pipelines, infrastructure-as-code provisioning, and scanner configuration automation.

Note

The public API base path is /public_api/appsec/v1/repositories.

API prerequisites

  • API Key: A valid Cortex Cloud API key with sufficient permissions (AppSec Admin or custom repository management roles)

  • Authentication: All requests require the x-redlock-auth header with a valid JWT token or the Authorization header containing the API key. Refer to the Cortex Cloud APIs authentication documentation for token generation

  • Base URL: Use the base URL corresponding to your Cortex Cloud tenant region

  • Content-type: All payload-bearing requests (PUT and POST) in the Cortex AppSec API require application/json

  • VCS integration: VCS integration (GitHub, GitLab, and so on) must already be active to populate the assetId values required by the endpoints

Retrieve the repository inventory

Retrieve the repository inventory programmatically to identify coverage gaps and synchronize with external systems.

  • List repositories: Use the GET /public_api/appsec/v1/repositories endpoint to retrieve all repository assets with optional filtering by source, search term, URL, and pagination

  • Get repository by ID: Use the GET /public_api/appsec/v1/repositories/{assetId} endpoint to retrieve a specific repository asset by the unique asset identifier

Manage scan configuration

Automate scanner enablement and configure exclusion rules.

  • Retrieve configuration: Use GET /public_api/appsec/v1/repositories/{assetId}/scan-configuration to retrieve the current scan configuration for a specific repository

  • Update configuration: Use PUT /public_api/appsec/v1/repositories/{assetId}/scan-configuration to update scanners, excluded file paths, PR scanning, and tagging bot activity programmatically

Note

  • The excludedPaths field replaces the entire excluded paths list; to add a new path, retrieve the current configuration first, append the new path, and send the complete array

  • SAST: SAST scanner configuration is not available through the public API and must be managed through the console UI

Manage scanned branches

Automate branch governance to ensure release and feature branches are scanned.

  • Retrieve branches: Use GET /public_api/appsec/v1/repositories/{assetId}/branches to retrieve all branches currently configured for scanning

  • Update branches: Use PUT /public_api/appsec/v1/repositories/{assetId}/branches to update the primary branch and selected branches for scanning.

    Warning

    Always retrieve the current branch list before updating. The PUT operation replaces the entire branch selection, meaning any omitted branches will be unintentionally removed from scanning.

Export compliance evidence (SBOM)

To automate the compliance generation process within CI/CD pipelines, you can export Software Bill of Materials programmatically using the dedicated SBOM API.

API reference

For repository payload examples, schemas, and status code, refer to the Repositories API documentation.