The AppSec Coverage page provides centralized visibility into security scanner deployment across the SDLC. Monitor asset health, identify gaps, and orchestrate onboarding.
The AppSec Coverage page is the centralized interface for understanding and managing security scanner coverage across the application development ecosystem. The Coverage page visualizes which assets (VCS repositories, CI/CD pipelines, and container image repositories) are scanned by which security scanners, identifies coverage gaps, and enables direct action to close those gaps.
Pillar Alignment: ASPM (Posture and Orchestration); Coverage visibility, scanner gap analysis, and onboarding orchestration across the SDLC.
Functional responsibilities
AppSec Managers (Governance): Review overall coverage metrics to identify business units or asset groups with significant scanner gaps. Define scanner relevancy requirements per asset type. Delegate onboarding and scanner activation tasks to practitioners
AppSec Practitioners (Operations): Onboard unmonitored assets, activate scanners on partially covered assets, configure scanner relevancy, and monitor scan health to ensure continuous protection
DevSecOps Engineers: View coverage data to understand the security posture of assigned assets. DevSecOps engineers have view-only access to the Coverage page
Core benefits and use cases
Reduce coverage gaps and visibility: Eliminate blind spots by aligning discovered assets with active scanners.
Identify onboarded vs. partially onboarded VCS and third-party integrations
Monitor SAST, SCA, Secrets, IaC, and Malware scanner active status across the codebase
Onboarding and maturity acceleration: Direct scanner activation and asset onboarding to improve security posture.
Evaluate stage-specific maturity to enable targeted improvements at each phase of the SDLC
Understand global and application-specific security scores to prioritize onboarding efforts
Compliance, guardrails, and health: Ensure scanners are functional and policies are enforced for audit readiness.
Verify which security policies and guardrails are applied and assess their effectiveness
Surface scan failures to prevent false confidence in compliance metrics
Prerequisites
Before using the AppSec Coverage page, verify the following:
Cortex Cloud license: An active Cortex Cloud license with Application Security entitlement
RBAC role: AppSec Practitioner role for full access (view and edit). DevSecOps and Developer roles have view-only access
Data Sources Configured: At least one VCS, CI/CD, or container registry data source onboarded to Cortex Cloud
Scanners enabled: At least one security scanner (integral or third-party) activated on onboarded asset
RBAC permissions for the Coverage page
Role | Access coverage page | View coverage data | Configure scanner relevancy | Onboard assets | Activate scanners |
|---|---|---|---|---|---|
AppSec Manager | Full access | Yes | Yes (define requirements) | Yes (delegate) | Yes (delegate) |
AppSec Practitioner | Full access | Yes | Yes | Yes | Yes |
DevSecOps Engineer | View only | Yes | No | No | No |
Important: Only AppSec Practitioners can modify scanner relevancy, onboard assets, or activate scanners from the Coverage page. DevSecOps engineers see action buttons grayed out with a no permission indicator. Developers cannot access the Coverage page.