Integrate Cortex Cloud Application Security with your GitLab Self Managed (On-Prem) version control system (VCS) to enable security scans for exposed secrets, infrastructure-as-code (IaC) misconfigurations, vulnerabilities, package operational risks, and license compliance issues in your repositories. This integration allows you to analyze, prioritize, and resolve detected issues efficiently.
Architecture and connectivity
While never strictly required, deploying a Transporter over a Broker VM is recommended for isolated environments where the Cortex Cloud platform has no direct way to reach your internal enterprise resources. In these scenarios, the Transporter solves the connectivity problem by:
Living inside your network as an applet on the Broker VM
Initiating an outbound WebSocket connection to the cloud, meaning no inbound firewall rules or direct IP access are needed
Proxying requests from the cloud to internal resources, allowing Cortex Cloud to perform secure code scanning without exposing your internal network to the public cloud
For more information on Transporter, refer to Transporter over Broker VM.
If your GitLab self-managed instance is already internet-accessible or managed via existing connectivity solutions (such as a VPN or network peering), the Transporter is not needed.
How to integrate GitLab Self Managed (On-Prem)
Prerequisite
Gitlab permissions: Authorize the user integrating Cortex Cloud Application Security with your GitLab Self Managed (On-Prem) instances with the following permissions:
Maintainer permissions. Grants sufficient permissions to configure external integrations, manage repository access, and adjust CI/CD settings
api: Grants full read and write access to the API, including all groups and projects, as well as permissions to interact with the container registry, the dependency proxy, and the package registry
Administrator repository permissions: In order to scan pull requests (PRs), the user performing the integration must have administrative privileges for the repositories. This enables Cortex Cloud Application Security to set up subscription webhooks for the selected repositories
Onboarding port: Port
443is required for all on-premise onboarding for outbound HTTPS communication to Cortex Cloud. If the Transporter is used, it specifically uses port443for its WSS tunnel
Onboarding steps
In the Cortex Cloud tenant.
Search for GitLab Self Managed (On-Prem) , hover over it, and click or Add Another Instance if an instance has already been onboarded.
Enter your domain in the Configure Domain step of the wizard and click .
Note
The domain is the hostname associated with your GitLab Self Managed (On-Prem) instance.
You are redirected to your GitLab Self Managed (On-Prem) instance register Cortex AppSec as an application. Additionally, the Register OAUTH App step of the integration wizard is displayed.
Optional: Connect a Transporter: Select your Broker VM and associated Transporter applet from the provided menus.
Note
For more information about the Transporter, including setup instructions, refer to Transporter over Broker VM.
Copy the Application Name, Homepage URL and Authorization Callback URL values from their respective fields.
On the GitLab Self Managed (On-Prem) console:
Access → → .
Paste the values copied in step 1d above in their respective fields.
Select api as the application scope and then .
Once created, copy and save the generated Application ID and Secret values for the new Cortex AppSec application.
On the Cortex Cloud console.
Select Next on the Register OAUTH App step of the wizard.
The Set Client ID and Secret step of the wizard is displayed.
Paste the GitLab Self Managed (On-Prem) Application ID and Secret values copied in step 2d above and click .
Under Selection Options of the Select Repositories step of the wizard, choose the repositories to be connected to the instance:
Permit all existing repositories
Permit all existing and future repositories
Select Choose from repository list and select repositories from the list
Click .
Click Close on the final step of the wizard.
Note
Ensure that you receive the Instance Successfully Created message on this step, indicating successful instance creation.
Verify integration:
On the Data Sources & Integrations page, search for GitLab Self Managed (On-Prem).
Hover over and select the resulting entry.
Locate your instance and verify that the status of your GitLab Self Managed (On-Prem) instance is Connected.
View repository assets and mitigate detected issues.
Manage GitLab Self Managed (On-Prem) integrations
To manage GitLab Self Managed (On-Prem) integrations, refer to Manage data source integrations.
Subscribed events
Below is a comprehensive list of events to which Cortex Cloud Application Security is subscribed. These events encompass various actions and changes occurring within your GitLab Self Managed (On-Prem) environment that trigger notifications and integrations with Cortex Cloud Application Security.
Manage data source integrations
Manage integrations to align with evolving requirements and ensure they remain current.
Navigate to → and use the Vendor filter to located the required integration.
Select your vendor from the list.
The integrated instances for the selected vendor are displayed.
Right-click on an instance and select an option:
: Redirects to the Select Repositories step of the integration wizard, where you can modify configurations for the selected instance. For more details, refer to the relevant integration guide
: When confirmed, deletes the instance, including data from previous scans
Copy entire row – Copies all column values for the selected row to the clipboard.