GitHub is a Git-based source code repository. You can use GitHub to share code with team members, track and manage changes to code over time, and collaborate on projects across your organization. Integrate GitHub with Cortex to streamline operations and improve code quality.
There are three options for connecting Cortex to your GitHub instance:
Through Cortex's official GitHub app
Through a custom GitHub app
By using Cortex's official GitHub app or a custom GitHub app, users can tag entities with Git details and enable GitOps-style configuration of data in Cortex.
Using a personal access token
If your GitHub setup involves multiple organizations, you can add multiple GitHub apps, use a personal access token that has access to all orgs, or create multiple configurations with corresponding aliases.
How to configure GitHub with Cortex
See the tabs below for instructions on each of the GitHub integration options.
Configure GitHub with the Cortex GitHub app
Cortex's official GitHub app is the easiest way to connect your GitHub instance. It is preconfigured with the permissions needed to use this integration. Note that it is not available for Cortex Server.
Support for using GitHub teams as an ownership provider.
The app comes with a built-in linter, which validates a given cortex.yaml file and checks Cortex-specific items. However, the linter DOES NOT validate data correctness. For example, the linter will confirm that the format of a group block is correct, but will not check that the group exists.
Note: The linter in Cortex's official GitHub app only validates the format of data, not content.
Configure GitHub with a custom app
If you're using Cortex Server, or if you don't want to use the official Cortex app, you can connect a custom GitHub app.
Prerequisites
If you connect Cortex via a custom GitHub app, it must be configured with the following minimum permissions:
Permission
Requirement
Purpose(s) in Cortex
Actions
Read-only
Read workflow run information for Git-based CQL rulesArtifact information for actions
Administration
Read & write
Create repositories
Checks
Read & write
Used by Cortex's GitHub app linter on pull requests
Code scanning alerts
Read-only
Get vulnerability information for Git-based CQL rules
Commit statuses
Read & write
Read commits for an entity's Git metadataRead commits for Git-based CQL rulesShow pending status messages on the OpenAPI incompatibility check
Contents
Read & write
Read cortex.yaml, cortex-properties.yaml, and package/OpenAPI filesRead Git rulesCreate file contents
Dependabot alerts
Read-only
Read vulnerability information for Git CQL rules (only relevant if using Dependabot)
Issues
Read & write
Read associated issues with repositories for populating entity Git integration and for Git CQL rulesCreate new issues based on Initiatives
Metadata
Read-only
Read associated data with repositories for populating entity Git integration and for Git CQL rules
Pull requests
Read & write
Read pull request data for Git CQL rules and developer homepage My PRs tabComment if there are breaking OpenAPI changes on a PR
Secrets
Read & write
Optionally write repo secrets after creating new repo
Single file
Read & write (Path tocortex.yaml)
Read cortex.yaml filesCreate cortex.yaml files
Workflows
Read & write
Write in GitHub actions files
Members (org-level permission)
Read-only
Read membership information for ownership and team composition
Step 1: Register the custom app
Register the app. When you're creating the app, make sure to follow these steps:
Disable "Expire user authorization tokens." (Cortex does not support this OAuth workflow yet.)
Select "Request user authorization (OAuth) during installation."
In Cortex, click your avatar in the lower left corner, then click Settings.
Under "Integrations," click GitHub.
Click Add configuration, then for the type, select GitHub app.
Fill in the form:
Alias: Enter the name Cortex will associate with a given configuration.
Application ID: Enter the ID for your custom GitHub ap.
Client ID: Enter the unique client ID assigned to your app during registration.
Client secret: Enter the unique client secret assigned to your app during registration.
Private key: Enter the private key to authenticate with your GitHub app.
Public link: Enter the public URL of your GitHub app.
API endpoint (for GitHub enterprise): Enter the endpoint root URL for self-managed GitHub setups.
Click Save.
On the GitHub Settings page in Cortex, next to your custom app configuration's name, click Install.
Configure GitHub with a personal access token
Prerequisites
Before getting started, make sure your personal access token has, at minimum, the repo and read:org permissions.
Note: Beyond the minimum permissions indicated above, many scenarios will require that the user who generated the personal access token have organization ownership permissions within GitHub.
In Cortex, click your avatar in the lower left corner, then click Settings.
Under "Integrations," click GitHub.
Click Add configuration.
In the upper right corner of the modal, click the dropdown and select Personal access token.
Fill in the form:
Alias: Enter a name that Cortex will associate with a given configuration.
Token: Enter the Personal access token generated in GitHub.
API endpoint (for GitHub enterprise): Enter the endpoint root URL for self-managed GitHub setups.
Click Save.
Configure the integration for multiple GitHub accounts
The GitHub integration has multi-account support. You can add a configuration for each additional organization, instance, or account by repeating the process above.
Each configuration requires an alias, which Cortex uses to correlate the designated organization, instance, or account with registrations for various entities. Registrations can also use a default configuration without a listed alias. You can edit aliases and default configurations from the GitHub page in your Cortex settings. Select the edit icon next to a given configuration and toggle Set as default on. If you only have one configuration, it will automatically be set as the default.
Cortex supports mapping multiple identities for a single user if you have multiple configurations of GitHub. See the Identity mapping documentation for more information.
To write rules related to Dependabot alerts, you must verify the necessary permissions are set for repositories you'd like to see vulnerabilities reported on.
To verify, navigate to a repository on GitHub and click "Settings" → "Code security and analysis". Make sure you are a member of a team under "Access to alerts.
You can define a GitHub repository for a given entity by adding the x-cortex-git block to the entity's descriptor. When you define a repository, Cortex checks for Security Advisory vulnerabilities from the GraphQL API and Advanced Security vulnerabilities from the Rest API.
Subdirectory for the entity if it is in a monorepo. Note that setting a basepath filters the vulnerabilities that appear in Cortex; Advanced Security vulnerabilities will not appear.
alias
Alias for the configuration in Cortex (only needed if you have opted into multi-account support)
Only one repository can be defined for in a given entity's YAML in the x-cortex-git block. Users looking to list additional repositories without the full functionality of GitOps can define the repos as custom data.
You can define the following block in your Cortex entity descriptor to add your GitHub teams.
x-cortex-owners:
- type: group
name: cortex/engineering
provider: GITHUB
description: This is a description for this GitHub team that owns this entity.
Field
Description
Required
type
Ownership type; must be defined as group for GitHub teams
✓
name
GitHub team name in the form /Team names are generally converted to lowercase with - separators (Team Name would be cortex/team-name), but you can verify your exact name from the GitHub permalink
✓
provider
Name of integration (in this case, GITHUB)
✓
description
Description for the GitHub team
Multiple GitHub organizations are not supported for ownership, and Cortex will use the default configuration when fetching teams.
Identity mappings
Cortex maps users' email addresses to discovered GitHub accounts, so you never need to define email ownership in an entity descriptor.
Cortex uses the Github integration for a significant amount of data that appears on entities' detail pages.
The GitHub integration will populate the Repo and Language detail blocks on an entity's details page. If a GitHub team has been defined as the owner for an entity, it will also appear in the Owners block.
Vulnerabilities pulled from the GitHub Dependabot will also be tracked in the Code and Security block in the Overview tab and in the Issues and Vulnerabilities block in the Code and Security tab. Cortex checks for Security Advisory vulnerabilities from the GraphQL API and Advanced Security vulnerabilities from the Rest API. This feature does not support secret scanning.
In the Recent activity preview, you'll find the recent commits and releases. These will also appear in the event timeline.
These data will appear for entities imported from a Git source or those that have a Git repo defined in their YAMLs.
Events
On an entity's Events page, you can find all of the commits and releases associated with that entity. Each is hyperlinked to the commit or release page in GitHub and includes a timestamp.
Repository
You can access more detailed information pulled from GitHub in the Repository page in the sidebar. At the top of the page, you'll find the repo(s) associated with that entity and the most-used language in files for that entity. In the Top contributors block, you'll find the three users who have contributed the most code and the number of their contributions.
In the Commits section, you'll find the 10 most recent commits and metadata about each. Below Commits is the Recent releases section, which includes the 5 most recent releases.
Issue tracking
From the Issue tracking page in the entity's sidebar, you can find a list of open GitHub issues. Each issue will show the number, title, assignees, and date created.
CI/CD - GitHub workflows
From the CI/CD > GitHub workflows page in the entity's sidebar, you can find a history of GitHub workflow runs for the past week. Each run is tagged with its status: IN_PROGRESS, COMPLETED, SUCCESS, CANCELLED, FAILURE, PAUSED.
The GitHub workflows page displays data about workflows in GitHub, not Workflows initiated via Cortex's Workflows tool.
Team pages
When a GitHub team is registered with a team entity, Cortex will pull GitHub users in to the Members tab. When available, Cortex will pull in the profile picture and email address for each user.
Dev homepage
The GitHub integration enables Cortex to pull information about pull requests and issues into the Dev homepage. You can find your open pull requests under the My open PRs tab, any pull requests assigned to you for review under the Assigned reviews tab, and any issues assigned to you under the Issues tab.
Pull requests and issues from GitHub are refreshed every 2 minutes.
Eng Intelligence
The Eng Intelligence tool also uses pull request data from GitHub to generate metrics:
Average PR open to close time
Avg time to first review
Avg time to approval
PRs opened
Weekly PRs merged
Avg PRs reviewed/week
Avg commits per PR
Ave lines of code changed per PR
You can read more about how Eng Intelligence tracks metrics for teams and users in the Eng Intelligence walkthrough.
To add deployments for your Github related entity, you can send a deployment event to the Cortex API.
Scorecards and CQL
With the GitHub integration, you can create Scorecard rules and write CQL queries based on GitHub data.
Number of approvals required to merge a pull/merge request into a repository. Defaults to 0 if no approvals are defined.
Definition: git.numOfRequiredApprovals()
Examples
For a security or development maturity Scorecard, you can write a rule to make sure at least one approval is required to merge a pull/merge request:
git.numOfRequiredApprovals() > 0
By having a rigorous PR process in place for a repo, you can make sure changes aren't made that create vulnerabilities. This kind of rule could also be used in a best practices or project standards Scorecard.
You can also use a similar expression in the Query Builder to find entities lacking approval:
git.numOfRequiredApprovals() < 1
Git repository set
Check if an entity has a registered Git repository.
Definition:git (==/!=) null: Boolean
Example
In a Scorecard, you can write a rule that detects whether an entity has a Git repository set:
git != null
Pipeline build success rate
The percentage of build pipelines that complete successfully. This is calculated against builds on the default branch, for commits in the last 30 days. The calculation is # successful builds / (# successful + # failed).
Definition:git.percentBuildSuccess(): Number
Example
In a Scorecard, you can write a rule that requires at least 90% of build runs to be successful:
git.percentBuildSuccess() > 0.9
Branches
List all live branches with some basic metadata.
Head
Is protected
Name
Definition: git.branches()
Example
For a best practices Scorecard, you can make sure that branches associated with an entity match a standard naming convention:
Find details for specified branch, or default branch if none is specified.
Branch name
Code owner reviews required
Dismiss stale reviews
Required status checks
Restrictions apply to admin
Review required
Definition:git.branchProtection()
Examples
For a security Scorecard, you can write a rule to make sure the default branch is protected:
git.branchProtection() != null
Because vulnerabilities in the default branch are critical, this rule should be in one of the first couple levels.
You can also use the Query Builder to find entities with unprotected default branches:
git.branchProtection() = null
Commits
Get the latest commits (to a maximum of 100) for a defined lookback period (defaulting to 7 days).
Date
Message
SHA
URL
Username
These results can be filtered based on branch name, using the default branch if no other branch is provided.
Definition:git.commits()
Example
You can use the git.commits() expression in a security Scorecard to make sure entities have fewer than three commits to a "security-fixes" branch in the last week:
Entities passing this rule will include those that haven't needed three or more security fixes. This can indicate that there aren't vulnerabilities in a given entity's code, but could also suggest that fixes aren't being implemented. Using this rule in conjunction with one focused on vulnerabilities could provide the extra context needed to gain a better understanding of what's happening.
Default branch
Default branch for the repository, or main when null.
Definition:git.defaultBranch()
Example
If default branches should always be named "main," you can write a rule to make sure entities follow this practice:
git.defaultBranch().matches("main")
File contents
Load the contents of a file from the entity's associated repository.
The contents can be validated by using string comparison operations or parsed by the built-in jq function. The jq function will automatically coerce file contents of JSON or YAML formats.
Definition:git.fileContents()
Example
For a Scorecard focused on development maturity, you could use the git.fileContents() rule to enforce that a CI pipeline exists, and that there is a testing step defined in the pipeline.
Check if a repository has a valid cortex.yaml file checked in at the root directory (when GitOps is enabled).
Definition:git.hasCortexYaml()
Example
If you're using a Scorecard to track a migration from Cortex UI to GitOps, you can use this rule to make sure entities are set up for GitOps management of entity descriptors:
git.hasCortexYaml() == true
Last commit details
Provides last commit details.
Date
Message
SHA
URL
Username
Definition:git.lastCommit()
Examples
One of the first rules you might write for a Scorecard focused on development maturity or security is one validating that the last commit was within the last month:
git.lastCommit().freshness < duration("P1M")
As counterintuitive as it may seem, services that are committed too infrequently are actually at more risk. People who are familiar with the service may leave a team, institutional knowledge accumulates, and from a technical standpoint, the service may be running outdated versions of your platform tooling.
Depending on best practices at your organization, you may want to confirm entities are updated within a week:
git.lastCommit().freshness < duration("P7D")
Confirming whether a service was updated within the last week can help team members catch outdated code sooner. Plus, if there is a security issue, you can quickly determine which services have or have not been updated to patch the vulnerability.
Pull requests
Lists pull requests opened during a defined lookback period.
Approval date
Author
Date closed
Date opened
First review date
Last updated
Number of commits
Number of lines added
Number of lines deleted
Organization
Repository
Source
Status
URL
Definition:git.pullRequests()
Example
You can use the git.pullRequests() query to find entities that have a small number of pull requests opened in the last two weeks:
This can highlight entities that haven't been updated recently, which may be especially useful when entities have to be updated to address a vulnerability.
Reviews
List reviews left during a defined lookback period.
Organization
Repository
Review date
Reviewer
Definition:git.reviews()
Examples
A development maturity Scorecard might use the git.reviews() expression to make sure that there is a rigorous review process in place before changes are implemented:
git.reviews(lookback=duration("P7D")).length > 25
This rule makes sure that there are more than 25 reviews left in the last week.
Workflow runs
Get workflow runs meeting given filter criteria, including conclusions, statuses, and a lookback period.
Conclusion
Name
Run started at
Run time
Run updated at
Status
Conclusions: FAILURE, SUCCESS, TIMED_OUT
Statuses: QUEUED, IN_PROGRESS, COMPLETED
The lookback period specifies a duration for which returned runs should be created within, defaulting to a period of 3 days.
The runTime of the WorkflowRun object represents the difference between runStartedAt and runUpdatedAt times in seconds.
Definition:git.workflowRuns()
Example
To make sure an entity has had a successful workflow run within the last two weeks, you can write a rule like:
The Scorecard might include a rule to ensure that an entity owners all have a description and are not archived:
ownership.teams().all(team => team.description != null and team.isArchived == false)
External repositories
By default, each GitHub rule is evaluated on the repository defined in a given entity descriptor. If the base path parameter has been set, CQL rules will automatically scope to the base path subdirectory.
To evaluate the rule for a service for an external repository, pass the repo identifier in the git(repoIdentifier: Text) command (e.g. git("github:org/repositoryName")).
This can be combined with other CQL rules. For example, a rule based on a dynamic external repository with custom data would be git("github:" + custom("my-custom-repo")).fileExists("README.md").
Background sync
Cortex conducts a background sync of GitHub identities every day at 10 a.m. UTC. Pull requests and issues are refreshed every 2 minutes.
FAQs and troubleshooting
I'm getting this error: "{"message":"Not Found", "documentation_url":"https://docs.github.com/rest/repos#get-a-repository"}".
If you've set up multiple GitHub accounts/organizations, Cortex will not be able to identify the correct one unless the alias variable is defined.
What if I have multiple email addresses set in my GitHub account?
Cortex will only detect the primary email address associated with your GitHub account if it is public.
If Cortex is not correctly pulling in user emails, ensure the given user(s) have allowed their email address to be public. Make sure the "Keep my email address private" setting is unchecked in the user's personal GitHub settings.
My ownership isn't being automatically mapped through GitHub.
If the email address associated with your Cortex account is not the same as your GitHub email address, you need to add your Cortex email address to the Public email dropdown in GitHub settings.
Github OAuth, which you can configure in Cortex user settings, allows you to link your GitHub username with your Cortex account, even if you don't have a public email set up on GitHub.
The following options are available to get assistance from the Cortex Customer Engineering team:
Email: help@cortex.io, or open a support ticket in the in app Resource Center
Chat: Available in the Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.
Don’t have a Slack channel? Talk with your Customer Success Manager.
