The Criteria process uses tag-based criteria as the single source of truth to automatically define application assets and enable Code-to-Cloud risk correlation in real-time.
Define business applications using rules based on Version Control System (VCS) hierarchies and cloud resource tags to automatically create, structure, and maintain your asset inventory. Instead of manually assembling applications one asset at a time, criteria enable a dynamic model where applications are continuously generated and updated as the environment evolves.
By using organizational metadata from integrated sources (such as repositories, projects and cloud tagging conventions), criteria define application boundaries and enrich them with business context, including ownership, criticality, and compliance requirements. This provides consistent, up-to-date visibility across the code to cloud lifecycle, from source code and CI/CD pipelines to deployed and runtime environments.
Criteria serve as the authoritative logic for application grouping, automatically associating assets with the correct application as they are created, updated, or removed. This shifts application management from a manual task to a continuous, policy-driven process.
Scope: Criteria define how assets are grouped into applications and provide the business context for application lifecycle management. They do not perform scanning, enforce policies, or create issues; these actions are handled by separate subsystems (scanner orchestration and Unified Application Security Policies).
Core achievements
Automated application provisioning: Creating a single criteria definition generates multiple applications automatically, eliminating the need to create each application individually through the console
Dynamic asset grouping: Criteria continuously evaluate the asset inventory. As new repositories are onboarded or cloud resources are provisioned, matching assets are automatically added to the appropriate applications. Assets that no longer match are automatically removed
Consistent business context: Criteria enforce uniform business metadata (ownership, criticality) across all generated applications, preventing inconsistent manual configurations
Scalable application management: Organizations with hundreds of repositories or cloud accounts can manage application definitions through a small number of criteria rules rather than maintaining individual application configurations
Core concepts
Criteria types
Cortex Cloud supports two Criteria types, targeting different asset domains. Select the type that matches the source of organizational truth for your applications.
Type
Asset domain
Grouping mechanism
Use when
Code
VCS repositories
Groups assets by VCS hierarchy (organization, project, or repository). A single code Criteria can target multiple VCS provider types in the same rule (for example, GitHub, GitLab, and Bitbucket)
Grouping code repositories and their connected runtime/deployment assets into applications based on VCS structure. This is the most common Criteria type for organizations with code-centric ownership models
Cloud
Cloud resources
Groups assets by shared cloud resource tag key-value combinations within a single cloud account
Grouping cloud resources (compute instances, serverless functions, storage) into applications based on existing tagging conventions. Use this when the cloud tag model is the source of truth for application ownership
Code to cloud unification
You do not have to choose between code and cloud Criteria; both operate concurrently. When a Code rule groups a source repository and a Cloud rule groups the live infrastructure running that code, the platform automatically merges them into a single application boundary to provide true end-to-end risk correlation.
Continuous evaluation logic
The Criteria engine operates on a continuous evaluation model. It evaluates rules immediately upon saving and re-evaluates them on a periodic background cadence. As repositories are added, renamed, or removed, and as cloud resources gain or lose tags, the engine automatically updates application membership without manual intervention.
How business context prioritizes risk
When you define a Criteria rule, you assign business tags that every generated application automatically inherits. The platform uses these tags to prioritize issues:
Business criticality directly influences Urgency calculations. High business criticality elevates the Urgency tier of every issue associated with the application
Business owner determines who gets notified and who is responsible for fixing the issues found in that application
Application access and policy scope
Criteria-generated applications define the scope for your security controls. The platform uses these application boundaries to enforce Unified Application Security Policies and to limit user permissions through Scope-Based Access Control (SBAC).
SBAC scopes user access to specific application boundaries
Policies scope security enforcement to application boundaries
Workflow management
You can manage application criteria through two distinct workflows; the Cortex Cloud Application Security for visual configuration and inventory management, and the Cortex Cloud Public API for programmatic provisioning and infrastructure-as-code integration.
Capability | Tenant (UI) | API |
|---|---|---|
Create Criteria | ✓ | ✓ |
Edit Criteria | ✗ | ✗ |
Delete Criteria | ✓ | ✓ |
Manual Refresh | ✗ | ✗ |
List Criteria | ✓ | ✓ |
View Criteria details | ✓ | ✓ |
View generated applications | ✓ | ✓ |
Prerequisites
Before creating criteria in Cortex Cloud Application Security, verify the following requirements.
Requirement | Description |
|---|---|
License | An active base Cortex Cloud license (Posture or Runtime) with the Application Security module add-on enabled |
RBAC role | The AppSec Admin role or a custom role with |
VCS integration (Code criteria) | At least one Version Control System (GitHub, GitLab, Bitbucket, Azure DevOps) integrated and active with onboarded repositories |
Cloud integration (Cloud criteria) | At least one cloud account (AWS, GCP, Azure) integrated and active with discovered cloud resources |
Criteria limit | A maximum of 30 Criteria can exist per tenant |
API key (optional) | A valid Cortex Cloud API key with ASPM read/write permissions. Required only for programmatic Criteria management |