Streamline security by ingesting SARIF findings from any tool into Cortex Cloud. Achieve unified visibility and risk-based prioritization for all AppSec scans.
The 3rd Party AppSec Collector is a generic ingestion mechanism that enables Cortex Cloud Application Security to receive SAST findings from any security tool that produces SARIF (Static Analysis Results Interchange Format) output. The collector normalizes third-party findings into the unified Cortex Cloud data model, making the findings indistinguishable from native scanner findings in terms of triage, policy enforcement, and reporting.
Scope
The 3rd Party AppSec Collector provides the ingestion pipeline for third-party SAST findings. The collector does not execute scans, poll external APIs, or perform automated discovery. Scanning is performed by the third-party tool; the collector receives and normalizes the output. For vendor-specific integrations that poll external APIs automatically, configure the dedicated vendor integration (such as Snyk, Semgrep, Veracode, or SonarQube) instead
The Collector currently supports the SAST detection method and the SARIF file type only. Other detection methods and file formats are not available
Shift-left context: The 3rd Party AppSec Collector operates at the CI stage when integrated into CI/CD pipelines. The collector can also be run manually or using a script outside of CI/CD pipelines for ad-hoc ingestion. Integrating the collector into CI/CD pipelines enables detection at the earliest automated stage; findings are ingested immediately after each scan run, enabling the organization to detect code weaknesses before deployment.
Core achievements
Enabling shift-left detection for unsupported tools: Integrating the collector into CI/CD pipelines enables automated SAST finding ingestion at the CI stage, detecting code weaknesses before deployment and reducing the blast radius of undetected finding
Extending coverage to unsupported tools: Ingesting findings from any SARIF-compatible security tool, including internal custom scanners, niche commercial tools, and open-source analyzers, into the unified Cortex Cloud data model, closing coverage gaps that vendor-specific integrations cannot address
Reducing tool fragmentation: Consolidating SAST findings from multiple third-party tools into the single Code Weaknesses table, eliminating context-switching between separate vendor consoles and enabling cross-tool correlation
Enabling automated ingestion pipelines: Providing a REST API endpoint with dedicated credentials for each collector instance, enabling automated SARIF upload from CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) without manual intervention
Maintaining credential security: Generating unique API credentials (token ID and API token) per collector instance, enabling granular access control and independent credential rotation without affecting other collectors or integrations
Context
Code to cloud mapping: Ingested SARIF findings are automatically mapped to corresponding Cortex Cloud repository assets, integrating these findings into your broader code to cloud lineage
Urgency-based prioritization: Ingested findings receive a Cortex Cloud Urgency classification during the next scan cycle. This enables you to prioritize remediation based on actual risk context rather than relying solely on the default SARIF severity
Prerequisites
Prerequisite | Description |
|---|---|
Cortex Cloud license | Base license: An active Cortex Cloud license with an Application Security add on |
RBAC permissions | Data Source View\Edit permission is required to access the Data Sources page and view collector instances Standard RBAC permissions for AppSec data source creation are required. Users with the AppSec Admin role have these permissions by default To view findings, the Application Security Issues View permission is required |
SBAC scope | Findings ingested into repositories outside the user's SBAC scope are not visible to the user in the Code Weaknesses table |
Onboarded repositories | Target repositories must be onboarded in Cortex Cloud before ingestion. Ingestion requests must include a valid |
SARIF file format | A valid SARIF v2.1.0 file generated by the third-party SAST tool |
Workflows
The 3rd Party AppSec Collector can be managed and consumed through two workflow channels. Each channel supports a different subset of capabilities.
Tenant (console) workflow: Full collector lifecycle management through the Cortex Cloud console, including creation, credential generation, SARIF validation, editing, and deletion. The console does not support direct finding upload. See Tenant (console) workflow for more information
API workflow: The public API supports CRUD operations on collector instances and SARIF upload. SARIF validation is not available; validate SARIF files through the tenant workflow before uploading. See API workflow for more information
Recommended initial configuration: Set up the collector through the tenant workflow to generate credentials, then integrate the collector into a CI/CD pipeline for automated, recurring ingestion. CI/CD integration is the primary shift-left use case. Automated ingestion at the CI stage ensures findings are captured continuously without manual intervention.
Technical reference
Before implementing these workflows, ensure your data meets the standards defined in Technical requirements and SARIF specifications. This includes critical details on System requirements, SARIF format and mapping, and Repository mapping.