The Cortex CLI operates at the CI enforcement point, the second shift-left stage after IDE scanning. Blocking a finding at CI scan prevents the vulnerable artifact from being deployed to production, reducing blast radius and remediation cost compared to detection at periodic scan or runtime.
The Cortex CLI evaluates findings against Unified Application Security Policies during CI code scans. The CLI is a scan-time policy consumer, the CLI does not support creating, editing, viewing, or deleting policies. All policy management operations (create, edit, delete, enable, disable) are performed exclusively through the tenant workflow or the API workflow.
How the CLI evaluates policies
During a scan, the CLI checks your findings against the active Unified Application Security Policies in your environment. Based on this evaluation, the CLI determines:
Which findings violate your policies
Whether the scan should fail the pipeline (Block CI)
If an active grace period applies to any of the findings
The CLI uses the policy correlation results to determine the scan exit code and generate the CLI report.
CLI policy output
The Cortex CLI scan output includes the following policy-related information:
Output element | Description |
|---|---|
Policy-reported count | The total number of findings that matched at least one active policy. Displayed in the scan summary |
Blocking policy details | The names and IDs of all policies that triggered a Block CI action. Displayed in the scan summary |
Per-finding policy matches | Each finding in the CLI report includes a policies array listing the matched policy IDs and whether each policy blocks the CI pipeline |
Grace period indicator | When a finding matches a blocking policy but the grace period is active, the CLI logs the remaining days and does not block the pipeline |
Platform upload link | A link to the Cortex Cloud platform where the full scan results and policy details are available |
CLI flags that affect policy behavior
Flag | Description |
|---|---|
| Run scans and evaluate policies but always return exit code 0, regardless of blocking policy matches. Use |
| Filter the CLI report output to display only findings that matched a blocking policy |
| Filter findings by severity level before policy evaluation. Findings below the specified severity threshold are excluded from the CLI report |
| Control whether scan results are uploaded to the platform. When set to no-upload, the CLI evaluates policies locally without uploading results |
CLI exit codes
Exit code | Condition |
|---|---|
| No blocking policy matches found, or |
| At least one finding matched a blocking policy and |
| An internal error occurred during the scan and |
Reference
For more information about the Cortex CLI, refer to Cortex CLI.