Upload findings from CI/CD pipelines ↗
Upload findings via the API from CI/CD pipelines to automate ingestion at the CI stage.
Upload findings via the API from CI/CD pipelines to automate ingestion at the CI stage.
Note
Store all collector credentials (Token ID, API Token, API URL) as encrypted secrets or credentials in the CI/CD platform. Do not hardcode credentials in pipeline configuration files.
The following examples demonstrate common integration patterns.
Important
Verify that the upload request returns a 2xx HTTP status code. A non-2xx response indicates that the upload failed and findings were not ingested. Configure the CI/CD pipeline step to fail on non-2xx responses to prevent silent ingestion failures. In the cURL examples, add the --fail flag or check the exit code to detect upload failures.
GitHub Actions
name: Upload SAST Findings to Cortex Cloud
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
scan-and-upload:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run SAST scanner
run: |
# Replace with your SAST tool command
bandit -r src/ -f sarif -o sarif-results.json
- name: Upload findings to Cortex Cloud
env:
CORTEX_TOKEN_ID: ${{ secrets.CORTEX_COLLECTOR_TOKEN_ID }}
CORTEX_API_TOKEN: ${{ secrets.CORTEX_COLLECTOR_API_TOKEN }}
CORTEX_API_URL: ${{ secrets.CORTEX_COLLECTOR_API_URL }}
CORTEX_REPO_ID: ${{ secrets.CORTEX_REPOSITORY_ID }}
run: |
curl -X POST "${CORTEX_API_URL}?repository_id=${CORTEX_REPO_ID}&branch=${GITHUB_REF_NAME}" \
-H "x-crtx-auth-id: ${CORTEX_TOKEN_ID}" \
-H "Authorization: ${CORTEX_API_TOKEN}" \
-H "Content-Type: application/json" \
-d @sarif-results.jsonGitLab CI
upload-sast-findings: stage: test script: # Replace with your SAST tool command - bandit -r src/ -f sarif -o sarif-results.json - | curl -X POST "${CORTEX_API_URL}?repository_id=${CORTEX_REPO_ID}&branch=${CI_COMMIT_REF_NAME}" \ -H "x-crtx-auth-id: ${CORTEX_TOKEN_ID}" \ -H "Authorization: ${CORTEX_API_TOKEN}" \ -H "Content-Type: application/json" \ -d @sarif-results.json variables: CORTEX_TOKEN_ID: ${CORTEX_COLLECTOR_TOKEN_ID} CORTEX_API_TOKEN: ${CORTEX_COLLECTOR_API_TOKEN} CORTEX_API_URL: ${CORTEX_COLLECTOR_API_URL} CORTEX_REPO_ID: ${CORTEX_REPOSITORY_ID}
Jenkins (Declarative Pipeline)
pipeline { agent any environment { CORTEX_TOKEN_ID = credentials('cortex-collector-token-id') CORTEX_API_TOKEN = credentials('cortex-collector-api-token') CORTEX_API_URL = credentials('cortex-collector-api-url') CORTEX_REPO_ID = credentials('cortex-repository-id') } stages { stage('SAST Scan') { steps { // Replace with your SAST tool command sh 'bandit -r src/ -f sarif -o sarif-results.json' } } stage('Upload to Cortex Cloud') { steps { sh """ curl -X POST "${CORTEX_API_URL}?repository_id=${CORTEX_REPO_ID}&branch=${env.BRANCH_NAME}" \ -H "x-crtx-auth-id: ${CORTEX_TOKEN_ID}" \ -H "Authorization: ${CORTEX_API_TOKEN}" \ -H "Content-Type: application/json" \ -d @sarif-results.json """ } } } }