Cortex Cloud Application Security discovers and inventories every Version Control System (VCS) organization connected through active VCS integrations. Each VCS organization appears in the unified asset inventory as the top-level governance boundary for the software supply chain, carrying its identity metadata, VCS provider, repository count, CI/CD instance associations, aggregated security health, and organizational context.
The VCS organization asset enables security teams to answer three questions about every development organization: what VCS organizations exist across the enterprise, what is the aggregated security posture of each organization, and which repositories and CI/CD instances does each organization contain.
Scope: The VCS organization asset represents a VCS organization discovered through an active VCS integration. It captures the organizational identity, provider type, and aggregated security posture across all child entities. It does not represent individual repositories, CI/CD pipelines, or CI/CD instances, nor does it represent business applications.
What VCS organization assets deliver: The VCS organization asset is the foundational unit of organization-level governance in the Cortex Cloud Application Security posture. The VCS organization inventory provides the identity, provider context, aggregated security health, and repository visibility needed to manage every VCS organization as a governed asset, from discovery through remediation.
Core achievements
Organization discovery and identity: Every VCS organization connected through a VCS integration is automatically discovered and registered with a unique identifier, name, provider, and URL
Code to Cloud lineage root: All downstream assets inherit their governance scope (policies, compliance frameworks, business criticality context) from the VCS Organization through the parent-child relationship chain. The Code-to-Cloud graph in the side panel visualizes this lineage starting from the VCS Organization node
Policy propagation and compliance scoping: Organization-level policies propagate to all repositories within the VCS organization, ensuring consistent security standards
Functional responsibilities
The VCS organization asset facilitates a structured delegation between governance and operations:
AppSec managers (Governance): Review the VCS organization inventory to assess the security posture at the organizational level, identify organizations with the highest concentration of Critical and High severity findings, evaluate coverage gaps, and define organization-scoped policies that propagate to all child repositories.
AppSec practitioners (Operations): Navigate from the VCS organization to individual repositories and CI/CD instances to investigate and remediate security findings. Onboard new repositories, configure scanner enablement, and track remediation progress at the organization level.
Relationship model
The VCS organization asset is the root node of the Code-to-Cloud asset hierarchy. The platform models the following relationships between the VCS organization asset and other asset categories:
Relationship direction | Related asset category | Relationship description | Inherited metadata |
|---|---|---|---|
Child | Repository | Repositories contained within the VCS organization. Aggregates security posture across all child repositories | Child repositories inherit organization-level policies and compliance scope. Findings aggregate up to the organization health profile |
Child | CI/CD Instance | CI/CD platform instances associated with the VCS organization (such as GitHub Actions instance for a GitHub organization) | Child CI/CD instances inherit the VCS organization provider type and organizational context |
Sibling | VCS Organization | Other VCS organizations within the same Cortex Cloud tenant operating as independent governance boundaries | Sibling organizations share the tenant but maintain independent policy scopes and health profiles |