The CI/CD pipeline inventory provides multiple ways to investigate a pipeline asset, from quick agentic queries in the main table to deep-dive configuration analysis in the side panel.
Select a CI/CD pipeline row in the table to open its side panel. This provides a consolidated workspace for investigating pipeline definitions and security posture without navigating away from the asset inventory. The health profile represents the current security state of the pipeline configuration.
Ask the AppSec agentic assistant
From the CI/CD Pipelines table, → → from the agents menu. You can then query pipeline-specific insights.
You can also access the agent in the side panel by clicking the Ask AI icon.
Explore the pipeline context and lineage
Navigate through the following tabs in the side panel to review the pipeline context and lineage. This helps prioritize remediation efforts based on application criticality and assess the potential production impact of misconfigurations:
Overview tab: Displays key pipeline properties, including highlights allowing you to prioritize pipelines including Deployed to runtime, indicating it actively deploys workloads to production, Internet Exposed, indicating the deployed workloads produced by the pipeline are publicly reachable from the internet, Public, indicating the pipeline or its parent repository has public visibility, and Deprecated, indicating the pipeline or associated components are deprecated. In addition, highlights the severity breakdown of CI/CD configuration risk issues associated with the pipeline
Deployed to runtime, indicating it actively deploys workloads to production
Internet Exposed, indicating the deployed workloads produced by the pipeline are publicly reachable from the internet
Public, indicating the pipeline or its parent repository has public visibility
Deprecated, indicating the pipeline or associated components are deprecated
Issue severity, the severity breakdown of CI/CD configuration risk issues associated with the pipeline
Applications tab: Lists the business applications associated with the CI/CD pipeline (inherited from the parent repository), including business criticality ratings and risk scores
Instances tab: Displays the CI/CD instances associated with the pipeline. Select an instance to view its details without navigating away
Code to Cloud tab: Displays the Code to cloud relationship graph, visualizing the lineage from the CI/CD pipeline through the parent repository to deployed container images, VM images, and cloud resources
Note
This requires active CI/CD integrations and successful build log analysis. Pipelines without successful build log analysis display only the repository and pipeline nodes
Investigate and remediate issues
You can investigate specific security findings directly from the asset side panel. From the Overview tab, you can select specific issues or cases associated with the pipeline.
Selecting an issue opens a dedicated issue side card directly over the inventory view. This allows you to review detailed information, including the detection rule, severity level, OWASP CI/CD Top 10 category mapping, and evidence, and apply remediation guidance without losing your place in the asset inventory.
Note
Navigate to the dedicated → → page to manage the remediation lifecycle at scale through bulk status updates, team assignments, and SLA tracking for compliance monitoring.
Execute asset actions
After reviewing the pipeline health, you can perform the following operations:
View asset data: Available from either the side panel Actions menu or by right-clicking the resource in the main table. Click View asset data to view raw pipeline data in JSON (default) or tree view formats to assist with custom integrations, XQL queries, or API operations
Limitations
Limitation | Description |
|---|---|
CI/CD integration required | CI/CD pipeline assets are only created through active CI/CD integrations. Repositories without connected CI/CD integrations do not generate CI/CD pipeline assets |
Provider support scope | CI/CD pipeline discovery is limited to supported providers: GitHub Actions, GitLab CI, Jenkins, Azure Pipelines, Bitbucket Pipelines, CircleCI, Argo CD, AWS CodeBuild, TeamCity, and Travis CI |
Code to cloud mapping dependency | The code to cloud graph requires successful build log analysis to trace the full lineage from the pipeline to deployed runtime assets |
Build activity data freshness | Build activity metadata (Last job execution, Job Activity) is updated during periodic scans and CI/CD integration synchronization |
Build log secret scanning scope | Build log scanning detects secrets printed during pipeline execution. Not all CI/CD providers support build log ingestion |
CI/CD configuration scan policy restrictions | The CI/CD configuration scan policy type supports only the periodic scan trigger |