Technical requirements and SARIF specifications - Review the essential system requirements, required SARIF v2.1.0 schema fields, and repository mapping parameters to successfully ingest third-party SAST data. - Administrator Guide - Cortex Cloud Posture Management

Technical requirements and SARIF specifications - Review the essential system requirements, required SARIF v2.1.0 schema fields, and repository mapping parameters to successfully ingest third-party SAST data. - Administrator Guide - Cortex Cloud Posture Management - Cortex CLOUD

Cortex Cloud Application Security

Product

Cortex Cloud Posture Management

Cortex Cloud Application Security > Cortex CLOUD

Creation date

2025-01-22

Last date published

2026-05-31

System requirements

Before utilizing a Collector, verify the following system requirements.

Requirement	Description
Input Format	Valid SARIF v2.1.0 JSON strictly adhering to the standard. The collector will not ingest files with invalid formats or schema violations.
File Size	Maximum 10 MB per upload. Larger files must be split.
Network	Outbound HTTPS (port 443) access to the public API. TLS 1.2+ required.
File paths	SARIF `artifactLocation.uri` values must use relative paths from the repository root (such as `src/app.py`). Do not use absolute system paths. Paths must not start with a leading `/`.

SARIF format and mapping

The 3rd Party AppSec Collector accepts findings in SARIF (Static Analysis Results Interchange Format) version 2.1.0, an OASIS standard for expressing the output of static analysis tools. The SARIF file must be a valid JSON document conforming to the SARIF 2.1.0 schema.

Required SARIF fields:

Field	Path	Description
Tool name	`runs[].tool.driver.name`	The name of the security tool that produced the findings. Recommended: Set the collector name to match the `tool.driver.name` value for consistent identification
Rules	`runs[].tool.driver.rules[]`	The array of detection rule definitions used by the tool. Each rule must include an `id` field. Rules can also be defined in `runs[].tool.extensions[].rules[]` for tools that use extensions. The platform resolves rule metadata from both locations
Results	`runs[].results[]`	The array of individual findings detected by the tool. Each result must include a `ruleId`, `message`, and at least one `location`
Rule ID	`runs[].results[].ruleId`	The unique identifier of the detection rule that produced the finding. Must match an `id` in the `tool.driver.rules[]` or `tool.extensions[].rules[]` array
Message	`runs[].results[].message.text`	A human-readable description of the finding
File URI	`runs[].results[].locations[].physicalLocation.artifactLocation.uri`	The relative file path URI where the finding was detected (such as`src/main/java/App.java`). The platform uses the file URI to map findings to specific files within the repository
Region	`runs[].results[].locations[].physicalLocation.region`	The line and column information within the file. Must include at least `startLine`

Optional SARIF fields that improve finding quality

Field	Path	Description
Severity level	`runs[].results[].level`	The severity of the finding (`error`, `warning`, `note`, `none`)
Rule description	`runs[].tool.driver.rules[].shortDescription.text`	A short description of the detection rule. Also supported at `runs[].tool.extensions[].rules[].shortDescription.text`
Rule help	`runs[].tool.driver.rules[].help.text`	Remediation guidance for the detection rule. Also supported at `runs[].tool.extensions[].rules[].help.text`
Code snippet	`runs[].results[].locations[].physicalLocation.region.snippet.text`	The source code snippet where the finding was detected
End line	`runs[].results[].locations[].physicalLocation.region.endLine`	The ending line number of the finding region. Enables precise multi-line highlighting
CWE	`runs[].tool.driver.rules[].properties.tags[]`	CWE identifiers (such as `CWE-79`) associated with the rule, enabling OWASP and CWE Top 25 classification
Rule properties	`runs[].tool.driver.rules[].properties`	Additional metadata for the rule, including `tags`, `severity`, and custom properties

Severity mapping

The platform normalizes SARIF severity levels to Cortex Cloud severity values following a two-step resolution order:

The platform checks the runs[].results[].level field on the individual finding result.
f the result-level field is absent, the platform falls back to the runs[].tool.driver.rules[].defaultConfiguration.level field on the matching rule definition.
If neither field is present, the platform assigns a default severity of High.

SARIF level	Cortex Cloud severity
`error`	`HIGH`
`warning`	`MEDIUM`
`note`	`LOW`
`none` (or absent)	`HIGH` (default)

Repository mapping

Unlike vendor integrations that map vendor projects to Cortex Cloud repositories during setup, the 3rd Party AppSec Collector maps findings to repositories at upload time. Each upload request must include at least one repository identifier, either repository_id or repository_url as a query parameter that associates the uploaded findings with a specific Cortex Cloud repository asset.

Parameter	Required	Use When	Description
`repository_id`	One of `repository_id` or `repository_url` is required	The Cortex Cloud repository asset ID is known. Preferred for CI/CD automation because the ID is stable and unambiguous	The Cortex Cloud repository asset ID to associate the findings with. Obtain the repository asset ID from the `Application Security > Assets > Repositories` table or from the Cortex Cloud API
`repository_url`	One of `repository_id` or `repository_url` is required	The Cortex Cloud repository asset ID is not readily available. Suitable for initial setup or when integrating tools that only expose the repository URL	The full URL of the repository (such as `https://github.com/org/repo`). The platform resolves the repository URL to the corresponding Cortex Cloud repository asset
`branch`	Optional	The findings are branch-specific and the branch name is available in the CI/CD environment	The branch name where the findings were detected (such as `main`, `develop`, `feature/auth`)

Validation statuses

The SARIF file validation endpoint returns one of three statuses:

Status	Description
`VALID`	The SARIF file conforms to the expected schema and all required fields are present. The file is ready for production upload
`PARTIALLY_VALID`	The SARIF file is structurally valid but contains warnings (such as missing optional fields that improve finding quality). The file can be uploaded but findings may have reduced detail
`INVALID`	The SARIF file does not conform to the expected schema. The file cannot be uploaded until the validation errors are resolved