Onboard VCS, integrate CI tools, registries and ingest third-party data for a comprehensive view of your application and supply chain security.
Cortex Cloud Application Security requires external data sources to build a complete inventory of your environment, scan your assets for security risks, and ingest findings from your existing security tools.
Onboard a source through the wizard at → or programmatically through the Cortex Cloud public API.
What you get from onboarding
Asset visibility and inventory: Cortex Cloud discovers repositories, pipelines, packages, and IaC resources from the connected source and registers them in the unified asset inventory
Scans and findings: Native scanners run against the discovered assets, and ingested third-party tools push their results into the same finding tables
Policy enforcement: Findings that match a Unified Application Security policy trigger configured actions, such as blocking builds, posting PR comments, or generating tracked issues for triage and remediation
Application-centric posture: Group onboarded assets are grouped into Applications, enabling SBAC scoping, ownership assignment, and business-aligned tracking and reporting
Code to cloud traceability and Urgency: When the full source set is onboarded (VCS, CI/CD, scanners, runtime), Cortex Cloud assembles the code to cloud trace that enables Urgency prioritization
Data source categories
VCS systems: Onboard Version Control System (VCS) systems to gain complete visibility into your repositories and pipeline assets, out-of-the-box CI/CD system capabilities, and automated native scanning for both your code and native pipeline configurations. For more information, refer to Onboard version control systems
CI/CD systems: While native pipelines are scanned automatically via your VCS integration, external platforms like CircleCI and Jenkins require explicit CI/CD onboarding. This integration detects supply chain threats, pipeline vulnerabilities, and organizational misconfigurations before they reach production. For more information refer to Onboard CI/CD systems
Integrate CI tools to enable code scans through Cortex CLI: Integrating the Cortex CLI directly into your CI pipelines enables an automated, shift-left security workflow. This integration automatically scans for and blocks vulnerabilities, such as IaC misconfigurations, exposed secrets, and vulnerable dependencies, at the build stage before they can be deployed.. Refer to CLI pipeline code snippets for more information
Integrate with JFrog Artifactory: Connect your private JFrog Artifactory registry to retrieve dependency metadata and package contents, enabling full visibility, accurate dependency trees, and reliable detection of supply-chain vulnerabilities.. Refer to JFrog Artifactory for more information
Ingest third-party data: Ingest findings from third-party tools (SAST, SCA (for supported vendors)) to consolidate your security posture into a single pane of glass. Cortex Cloud correlates these external findings with native scans and the code to cloud graph, allowing the Urgency engine to prioritize everything under a unified policy. Refer to refer to Ingest third-party data sources for more information
Note
Third-party SCA ingestion (such as Snyk, Semgrep) covers CVE vulnerabilities only. License Miscompliance and Package Operational Risk findings are produced exclusively by the native Cortex Cloud SCA scanner. You must enable native SCA scanning to achieve license and operational-risk coverage
API data source workflows
The Data Source APIs enable programmatic management across the entire integration lifecycle. Use these APIs to automate the creation of new data sources, rotate credentials, modify repository scopes, and decommission retired tools. They also allow you to monitor connectivity health and audit integration coverage at scale without using the management console. Refer to Manage integrations via data source APIs for more information.
Roles and permissions
Onboarding any data source (VCS, CI/CD, third-party scanner ingestion, or private registry) requires the Data Sources (View/Edit) permission. This permission covers the full onboarding lifecycle across all categories: create, edit, delete, rotate credentials, and generate webhook secrets.
RBAC: Built-in roles that include this permission: Account Admin, Security Admin, Instance Administrator and more.
Code replication and retention policies
Cortex Cloud does not replicate or store your application code unless your organization has subscribed to the Application Security add-on license. The data collected and displayed relates only to security findings and metadata, preserving the integrity and location of your source code.
Disclaimer
While Cortex Cloud Application Security provides guidance during integration and explain the steps involved when you are redirected to third party version control systems (such as GitHub SaaS , GitLab SaaS and so on), Cortex Cloud Application Security does not assume responsibility for changes or variations in these platform processes. Always refer to the official documentation of the third party to ensure you are following their most current and precise instructions.