Content Pack Contributions - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

You can create content packs for submission to the Cortex XSOAR Marketplace.

Contributions are content packs that you create for the Cortex XSOAR marketplace, which are submitted to Cortex XSOAR for review and approval. After approval, these content packs are uploaded to Marketplace, and are shared and installed like any other content pack. When creating new content such as playbooks, scripts, incident types, and integrations, or when updating content, you can:

  • Create and submit content directly from Cortex XSOAR. For example, from a playbook, click Contribute. You then have the option to submit the contribution for review or download the contribution and upload it, for example, to GitHub.

  • Submit a content pack of one or more items through the Cortex XSOAR Marketplace UI. When you create or edit content in Cortex XSOAR, that content is added to the Add Content section in the Contributions tab in Marketplace. You can add content from this list to a content pack. From the Contributions tab in Cortex XSOAR Marketplace, you can create, edit, submit, and delete content that you have submitted through the Marketplace.

  • Create a GitHub pull request on the public XSOAR Content Repository.

Users with the Contribute to Marketplace permission can contribute content packs to the Marketplace.

When adding content to the content pack, Cortex XSOAR scans the content and automatically adds dependencies, which ensures that the content pack installs and runs correctly on all environments.

Although Cortex XSOAR scans and tests the content to ensure it works correctly, you need to review the content to ensure that all dependencies are incorporated and work as they should in the event that not all dependencies are added automatically. For example, when adding a phishing playbook, the incident type and layout should be automatically added. This enables you to add a phishing dashboard.


Content validation enables users to improve the quality of the content they develop in Cortex XSOAR by running a script to check for errors before submission.


By default, content validation passes your content item(s) as inputs to the ValidateContent script included in the Base pack. The ValidateContent script uses the demisto-sdk utility to run validate and lint on the content item(s) and returns the results.


When contributing content, either from the Contributions page, the Contribution Pack Editor page or directly from a content item's drop-down menu, the content goes through content validation before submission. After clicking Contribute, you have the option to Save and submit your contribution or Save and download your contribution. In both cases, your contribution goes through validation before you submit or download the content.


If the content pack passes validation, the process continues. If you are downloading the content, a download will start automatically. If you are submitting the content, the content will submit automatically. If the content pack does not pass validation, the validation issues are listed and you have the option to export a raw JSON file with the error details. You can then make changes to your content items and resubmit for validation.

You also have the option to skip the validation step or to contribute a content pack that does not pass validation. For example, there might be an issue you are aware of that cannot yet be resolved. For a large content pack, where you have already validated the individual content items, you might want to skip the final validation as it can be a lengthy process for a large content pack.


You can also manually trigger content validation. The Validate button appears in the Contribution page, the Contribution Pack Editor page, as well as in both the Script and Integration Editors. With manual validation, you can check your content during the development process and make changes.

Review Process

The review process consists of the Cortex XSOAR team checking that your contribution meets code, documentation, naming, and other standards. You receive a form to complete asking for more information, such as certification, contact details, etc. The Cortex XSOAR team will be in touch with you during the review process.

During the review process you may be asked to make changes in the code, or for more data, metadata, dependencies, documentation, support and certification model, etc. You can anonymize your name if required.

When your contribution is approved it is uploaded to Marketplace where other Cortex XSOAR users can view, download, and rate it. We encourage you to learn more about the contribution process.

Push Docker images to Docker hub

After the review process approves a contribution, the contribution pushes Docker files into the dockerfiles repository. Pushing into the repository will add an image to the Docker hub Demisto organization folder. For more information, see Cortex XSOAR’s Dockerfiles and Image Build Management.


When modifying an existing Docker image, ensure the change does not disrupt other integrations that may use the same package. All Docker images are created with unique version tags, for which overriding is blocked. When a new version of a Docker image is created, an integration using that image must specify the new version in the YAML file or specify that the latest version of the Docker image should be used.

Docker Image Security

The build process for Cortex XSOAR Docker images are fully open source and available for review. The project contains the source Docker files used to build the images and the accompanying files. Cortex XSOAR uses only the secure Docker hub registry for its Docker images. You can view the Docker trust information for each image at the image info branch.



  • Cortex XSOAR automatically updates open source Docker images and their accompanying dependencies (OS and Python). Examples of automatic updates can be viewed on GitHub.

  • Cortex XSOAR maintains Docker image information which includes information on Python packages, OS packages and image metadata for all our Docker images. Data image information is updated nightly.

  • All images are continuously scanned using Prisma Cloud and an additional third-party scanner. Cortex XSOAR evaluates all critical/high findings to actively prevent and mitigate security vulnerabilities.

  • Cortex XSOAR ensures container images are fully patched and do not contain unnecessary packages. Patches and dependencies are applied automatically via our open source Docker files build project.