Cortex Cloud Application Security discovers and inventories every CI/CD platform instance connected through active CI/CD integrations. Each CI/CD instance, whether a Jenkins server, GitHub Actions organization, GitLab CI group, Azure DevOps organization, or CircleCI organization, appears in the unified asset inventory as the platform-level entity that hosts and executes CI/CD pipelines, carrying its identity metadata, CI/CD provider, platform version, instance URL, associated pipelines, and aggregated security health.
The CI/CD instance asset enables security teams to answer three questions about every CI/CD platform: what CI/CD platforms exist in the organization, what is the security posture of each platform, and which pipelines does each platform host.
Scope: The CI/CD instance asset represents a CI/CD platform instance discovered through an active CI/CD integration. The CI/CD instance asset captures the platform identity, version, and aggregated security posture across all pipelines hosted on the instance. The CI/CD instance asset does not represent individual CI/CD pipelines, pipeline runs, or build logs; individual pipelines are managed as a separate asset category (CI/CD Pipeline), and pipeline runs are tracked as scan events. The CI/CD instance asset does not represent VCS organizations; VCS organizations are managed under the VCS Organization asset category.
What CI/CD instance assets deliver
The CI/CD instance asset is the foundational unit of platform-level CI/CD governance in the Cortex Cloud Application Security posture. The CI/CD instance inventory provides the identity, provider context, platform version, aggregated security health, and pipeline visibility needed to manage every CI/CD platform as a governed asset; from discovery through remediation.
Core achievements
Instance discovery and identity: Every CI/CD platform instance connected through a CI/CD integration is automatically discovered and registered in the unified asset inventory with a unique asset identifier, instance name, CI/CD provider, and instance URL. The CI/CD instance asset serves as the persistent identity record for the CI/CD platform
Instance-level security posture aggregation: The CI/CD instance asset carries a security health profile aggregating CI/CD configuration risk findings from the CI/CD Risks scanner into a severity breakdown , the count of Critical, High, Medium, and Low issues. Instance-level aggregation provides a platform-wide security view that surfaces systemic configuration risks affecting all pipelines hosted on the instance
Pipeline aggregation and visibility: The CI/CD instance asset provides direct visibility into all CI/CD pipelines hosted on the instance through the Pipelines tab, enabling platform-level pipeline management and cross-pipeline risk assessment
Coverage measurement: The Coverage page tracks the scanning coverage status of CI/CD instances, enabling AppSec Managers to identify CI/CD platforms that are not actively monitored for configuration risks
Functional responsibilities
The CI/CD instance asset model facilitates a structured delegation between governance and operations:
AppSec managers (Governance): Review the CI/CD instance inventory to identify platform-level configuration risks mapped to the OWASP CI/CD Top 10, assess provider-level coverage gaps, and evaluate the security posture of each CI/CD platform across the organization. Define unified policies using the CI/CD Configuration Scan policy type to enforce platform security standards across all onboarded CI/CD integrations. Prioritize remediation based on the concentration of Critical and High severity CI/CD risk findings per instance
AppSec practitioners (Operations): Investigate CI/CD instance configuration risks and apply remediation guidance at the platform level. Navigate from the CI/CD instance to individual pipelines hosted on the instance to assess pipeline-level risks. Track remediation progress through resolution statuses and SLA compliance
Relationship model
The Cortex Cloud platform models the following relationships between the CI/CD instance asset and other asset categories to provide organizational context and aggregate security posture.
Related asset category | Inherited metadata and description |
|---|---|
VCS organization (Parent) | The VCS organization that the CI/CD instance is associated with (for example, the GitHub organization that hosts GitHub Actions workflows). The CI/CD instance is attached to the VCS organization for organizational context. The CI/CD instance inherits the VCS organization provider type and organizational context |
CI/CD pipeline (Child) | CI/CD pipelines hosted and executed by the CI/CD instance. The instance aggregates security posture across all child pipelines. Child pipelines inherit the CI/CD instance provider type. The CI/CD instance aggregates pipeline-level CI/CD risk findings into the instance-level security health profile |