AWS CodeBuild - Administrator Guide - Cortex XSIAM - Cortex Cloud Posture Management - Cortex CLOUD - Cortex

AWS CodeBuild - Administrator Guide - Cortex XSIAM - Cortex Cloud Posture Management - Cortex CLOUD - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-16

Prerequisite

Before you begin:

User permissions: Ensure the user performing the integration has permissions to edit pipeline configurations (such as YAML files) and manage secrets/credentials within the CI platform to store the Cortex XSIAM API key securely

Onboarding steps

On the Cortex XSIAM console:
1. Navigate to Settings → Data Sources & Integrations → + Add New.
2. Search for and hover over AWS CodeBuild, and click Add, or Add Another Instance if an instance is already onboarded.
3. On the Add Environment Variables step of the AWS CodeBuild integration wizard.
  1. Select Generate API key.
    The API key secret and API key ID values are generated and populate their respective fields.
  2. Select the system architecture that your tool runs on.
  3. Click Next.
Store your generated Cortex XSIAM API key and API key ID in AWS Secrets Manager.
- If you have an API key.
  1. Copy the CORTEX_API_KEY and CORTEX_API_KEY_ID variable names from their respective fields in the wizard.
  2. Add the CORTEX_API_KEY and CORTEX_API_KEY_ID and their corresponding values as separate environment variables (secrets) to the AWS Secrets Manager.
- If you do not have an API key:
  1. Click Generate API key → Copy the CORTEX_API_KEY and CORTEX_API_KEY_ID and their corresponding values from their respective fields.
  2. Add the CORTEX_API_KEY and CORTEX_API_KEY_ID and their corresponding values as separate environment variables (secrets) to the AWS Secrets Manager.
Note
Do not change the names of the environment variables provided by Cortex XSIAM. They are required for proper integration and functionality.
For more information on storing secrets in AWS Secrets Manager, refer to AWS Secrets Manager Documentation.
Grant the IAM service role associated with your AWS CodeBuild project the necessary permissions to read the Cortex XSIAM API key and Cortex XSIAM API key ID from AWS Secrets Manager.
Copy and paste the pre-populated sample code from the Configure Subscription step of the integration wizard into your buildspec.yaml configuration.
Note
The code is only a reference. Replace the placeholder values with your build-specific values.
Select Done in the wizard.
Ensure that the Connector Created Successfully message is displayed in the final step of the wizard, and click Close.
Verify integration and confirm that the your integrated AWS CodeBuild instance has a status of Connected.
1. On the Data Sources & Integrations page, search for AWS CodeBuild in the search bar.
2. Hover over the resulting entry and click View Details.
3. Verify that the status of your AWS CodeBuild instance is Connected.
Next step: View scan results and mitigate issues.

AWS CodeBuild code scan workflow template

This AWS CodeBuild workflow example automates code scanning using the Cortex CLI. The workflow contains placeholder values (often in brackets) and generic terms (such as dev) that you must replace with your environment-specific information before use.

version: 0.2

env:
  variables:
    CORTEX_API_URL: "https://api-viso-hdkbzk6qphxpbehy758elo.xdr-qa2-uat.us.paloaltonetworks.com"
    CORTEX_CLI_VERSION: "0.8.11"
  secrets-manager:
    CORTEX_API_KEY: "CORTEX_API_KEY"
    CORTEX_API_KEY_ID: "CORTEX_API_KEY_ID"

phases:
  install:
    runtime-versions:
      docker: 19
    commands:
      - echo "Installing dependencies"
      - yum -y update
      - yum -y install jq curl

  pre_build:
    commands:
      - echo "Fetching temporary token"
      - |
        export TOKEN_RESPONSE=$(curl --location "${CORTEX_API_URL}/public_api/cas/v1/cortex-cli/create-token" \
                                 --header "Authorization: ${CORTEX_API_KEY}" \
                                 --header "x-xdr-auth-id: ${CORTEX_API_KEY_ID}" \
                                 --header "Content-Type: application/json" \
                                 --data "{}" -s)
      - export TEMP_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.token')
      - echo "Temporary token fetched"

      - echo "Pulling Docker image"
      - docker pull --platform linux/arm64 distributions-dev.traps.paloaltonetworks.com/cli-docker/${TEMP_TOKEN}/method:arm64-${CORTEX_CLI_VERSION}-dev

      - echo "Tagging Docker image"
      - docker tag distributions-dev.traps.paloaltonetworks.com/cli-docker/${TEMP_TOKEN}/method:arm64-${CORTEX_CLI_VERSION}-dev cortexcli:${CORTEX_CLI_VERSION}

      - echo "Setting Extra Environment Variables"
      - |
        export CODEBUILD_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
        export CODEBUILD_GIT_BRANCH="$(git symbolic-ref HEAD --short 2>/dev/null)"
        if [ "$CODEBUILD_GIT_BRANCH" = "" ] ; then
          export CODEBUILD_GIT_BRANCH="$(git rev-parse HEAD | xargs git name-rev | cut -d' ' -f2 | sed 's/remotes\/origin\///g')"
        fi
        export CODEBUILD_PROJECT=${CODEBUILD_BUILD_ID%:$CODEBUILD_LOG_PATH}

        echo "==> AWS CodeBuild Extra Environment Variables:"
        echo "==> CODEBUILD_ACCOUNT_ID = $CODEBUILD_ACCOUNT_ID"
        echo "==> CODEBUILD_GIT_BRANCH = $CODEBUILD_GIT_BRANCH"
        echo "==> CODEBUILD_PROJECT = $CODEBUILD_PROJECT"

  build:
    commands:
      - echo "Running Docker container"
      - |
        docker run --rm --platform linux/arm64 cortexcli:${CORTEX_CLI_VERSION} \
                   --api-base-url ${CORTEX_API_URL} \
                   --api-key ${CORTEX_API_KEY} \
                   --api-key-id ${CORTEX_API_KEY_ID} \
                   code scan \
                   --directory . \
                   --repo-id $CODEBUILD_ACCOUNT_ID/$CODEBUILD_PROJECT \
                   --branch $CODEBUILD_GIT_BRANCH

Manage data source integrations

Manage integrations to align with evolving requirements and ensure they remain current.

Navigate to Settings → Data Sources & Integrations and use the Vendor filter to located the required integration.
Select your vendor from the list.
The integrated instances for the selected vendor are displayed.
Right-click on an instance and select an option:
- Edit instance: Redirects to the Select Repositories step of the integration wizard, where you can modify configurations for the selected instance. For more details, refer to the relevant integration guide
- Delete instance: When confirmed, deletes the instance, including data from previous scans
- Copy entire row – Copies all column values for the selected row to the clipboard.

Prerequisite

Onboarding steps

Note

Note

AWS CodeBuild code scan workflow template

Manage data source integrations