Login to CortexBook a DemoCortex Academycortex.ioCortex Status

Use CQL Captures to display rule failure causes

CQL captures allow you to extract specific values from entity data when a rule fails, making it easier for engineers to understand what went wrong. A typical use of captures is to show key quality metrics, such as code coverage, or detailed data like vulnerabilities in Scorecard rule failure messages. This helps engineers quickly understand why a rule is failing for an entity.

Example 1: Capturing code coverage from SonarQube

You can use captures to surface quality metrics such as code coverage from third-party integrations like SonarQube.

  1. Decide what data to show in the failure message. In this example, we want to display the code coverage metric reported by SonarQube.

  2. While configuring a Scorecard, add a rule using a CQL capture. Use a CQL expression to capture the code coverage metric and apply a threshold: captures("code-cov", sonarqube.metric("coverage")) > 50

  3. Customize the rule’s Failure message field to include the captured value. This message will appear when the rule fails (i.e., when coverage is 50% or lower):

This entity's code coverage metric from Sonarqube is:
{{context.evaluation.captures.code-cov}}%

  1. After evaluation, view the Scorecard details. Navigate to the entity that failed the rule. Expand the failure message to view the captured code coverage value.

Example 2: Surface security vulnerability information from custom data

You can configure custom data to track any information you want to surface, or you can choose to track information pulled in from third-party integrations.

  1. Determine what vulnerability data to display.

    • In this case, custom data is configured to include details like alert name, score, severity, and detection date.

    Example custom data under key security-data:

"alerts": [
      {
        "vulnName": "CV-2844",
        "alertName": "CVA-2844",
        "vulnScore": 5.2,
        "alertStatus": "ACTIVE",
        "productName": "AssetManager",
        "vulnSeverity": "MEDIUM",
        "alertDetected": "2025-05-08T10:49:07Z"
      }
    ]

  1. While configuring a Scorecard, add a rule that uses captures to pull in the data you want to make more visible: captures("security", custom('security-data')).get("alerts").length == 0

  2. In the rule's Failure message field, configure captures to pull in the relevant information. The following example captures vulnerability information from the custom security data into a table:

# Your entity is failing because of an unresolved vulnerability

## Table of data

| Product Name | Alert Name | Score | Severity | Date Detected |
| :---: | :---: | :---: | :---: | :---: |
{{#context.evaluation.captures.security.alerts}}
| {{productName}} | {{alertName}} | {{vulnScore}} | {{vulnSeverity}} | {{alertDetected}} |
{{/context.evaluation.captures.security.alerts}}

  1. After evaluation, inspect the failing rule in the Scorecard. Click into the affected entity and expand the rule to see the vulnerability details in a structured format.

Last updated

Was this helpful?