Create CI/CD configuration policies - Administrator Guide - Cortex Cloud Posture Management - Cortex CLOUD

Cortex Cloud Application Security
Product
Cortex Cloud Posture Management
Cortex Cloud Application Security > Cortex CLOUD
Creation date
2025-01-22
Last date published
2026-05-31
Category
Administrator Guide

CI/CD configuration policies scan your CI/CD and Version Control System (VCS) environments to detect and enforce standards against misconfigurations and risky settings in pipelines, workflows and VCS systems (such as GitHub).

Prioritize risk with application context: By leveraging application context, you can create Scope-Based Access Control (SBAC) policies that align security enforcement with each application's purpose, business sensitivity, and lifecycle, ensuring targeted and effective risk management that allows you to focus efforts on high-impact issues and reduces noise. For more information about creating application-scoped policies, refer to Scope user access to applications (Application SBAC)

  1. Under Modules, select Application SecurityAppSec Policies+ Add Policy.

  2. On the General step of the policy creation wizard.

    1. Select CI/CD Configuration Scanners as the policy type.

    2. Provide a policy name (required) and description.

    3. Click Next.

  3. On the Conditions step of the wizard, define the conditions that apply to the policy.

    By default, CI/CD Risk is selected as the Finding Type.

    1. Click + to define CI/CD condition attributes.

      Adding attributes allows you to narrow and refine findings, creating a tailored policy that targets the specific risk patterns you want to address.

      You can also use the AND/OR options to build more precise logic: each AND bracket defines a set of conditions that must all be met, and multiple brackets can be combined with OR to evaluate different sets of conditions independently.

      Refer to Cortex Cloud Application Security CI/CD policy Condition attributes for more information about condition attributes.

    2. Select Next.

  4. On the Scope step of the wizard.

    1. Limit policy evaluation to relevant assets by selecting Asset Types or Asset Groups:

      • For Asset Types: Select Add Filtersselect an asset typeselect a value from the Value field.

        The following asset types and values are supported.

        • Category. Values: Application, CI/CD Instance, CI/CD Pipeline, VCS Collaborator, VCS Organization

          Note

          When you select a category (such as Application), a list of available asset values for that type is displayed. The policy will automatically apply to all assets in the displayed list unless you apply additional filters using specific asset attributes (such as the Business Application Names filter).

        • Business Application Names: Enter names in the text field

        • Application Business Criticality. Values: Critical, High, Medium, Low

        • Application Business Owner: Enter names in the text field

        • CI/CD Instance Name: Enter instance names in the text field

        • CI/CD Instance ID: Enter Instance IDs in the text field

        • CI/CD Pipeline Name: Enter pipeline names in the text field

        • CI/CD Pipeline ID: Enter pipeline IDs in the text field

        • VCS Collaborator Name: Enter user names in the text field

        • VCS Collaborator Email: Enter user emails in the text field

        • VCS Collaborator MFA Enabled: Values: Select All, Yes, No

        • VCS Collaborator Last Observed

        • VCS Organization Name: Enter VCS organization names in the text field

        • Repository Name: Enter repository names in the text field

        • Is Public Repository: Values: Select All, Yes, No

        • Provider: Values: AWS Code Build, AWS Code Commit, Azure Repos, Bitbucket, Bitbucket Data Center, Circle CI, Cortex CLI, GiHub, GitHub Actions, GitLab, GitLab Self-Managed, HCP Terraform Tasks, HCP Terraform Enterprise Run Tasks, Jenkins

        Note

        SBAC scope-based limitations do not apply to Asset Types

      • For Asset Groups:

        • Select the asset groups on which this policy and its chosen detection rules will be evaluated. You can only select asset groups that are assigned to you as part of your scope

        • The policy is evaluated only on the relevant assets within the selected group, based on the asset types defined in the category filter

        For more information about Cortex Cloud Application Security Asset Groups, refer to SBAC Scope-based access control for Cortex Cloud Application SecuritySBAC Scope-based access control for Cortex Cloud Application Security

    2. Click Next.

  5. On the Triggers & Action step of the wizard.

    1. Verify that Periodic Scan (required) is selected by default.

      Note

      Periodic scan is the only trigger that is supported for CI/CD policies.

    2. Verify that Create an Issue (required) is selected by default)

    3. (Optional): Select Override Severity to apply a severity level other than the default.

    4. Click Next.

  6. On the Summary step of the wizard: Review the policy settings and click Done.

    This step provides an overview of the configured policy, including its name and description, the configured scope, and a table of conditions, triggers, and actions. It also displays the user who created the policy and the creation date.

    You can view the custom policy that you created in the general policies table on the AppSec Policies page.

Next step: Investigate and remediate repository and pipeline

Investigate and remediate issues detected in your VCS configurations and CI/CD infrastructure to mitigate risks across your development lifecycle and delivery process. For more information, refer to CI/CD Risks.