1 of 100

Cortex Docs

Cortex Documentation

Code is no longer the bottleneck. Everything else is.

Cortex is the Engineering Operations Platform that enables organizations to continuously improve their operational maturity and reduce developer friction – so that the whole organization operates as one. By unlocking a culture of engineering excellence, our customers reduce incidents, improve MTTR, and make it easier for developers to focus on building.

Get started with Cortex

Get started in minutes with Cortex's .

Cortex video overview

See an overview of Cortex below:

Accelerate the path to Engineering Excellence

We believe the foundation for Engineering Excellence starts with clear ownership and accountability. With ownership in place, drive complete visibility through the catalogs, a culture of continuous improvement using and , and consistent developer experience through self-service .

Learn how organizations drive Engineering Excellence with Cortex:

VELOCITY

Track, standardize, and accelerate developer productivity, maintain high code quality, and keep systems reliable.

Monitor cycle time, PR throughput, code coverage, and velocity trends with Eng Intelligence and dashboards.

EFFICIENCY

Align everyone to the same standards and provide structured ways to meet them.

Use to measure and set standards for consistency, resource utilization, and migrations.
Use

SECURITY

Continuously check services for security best practice adherence and drive patches with clear ownership and accountability.

Monitor encryption, dependency health, and vulnerability status with customizable Security Compliance templates.

RELIABILITY

Validate that every service meets operational requirements, continuously improve day-to-day operations, and give teams the context and tools to respond quickly when incidents happen.

Automate readiness and operational maturity with customizable templates.

Get Started

Cortex Quick Start

We’re excited for you to start using Cortex to achieve engineering excellence! If you don’t have an account yet, sign up for a demo.

This guide walks through setting up your account, configuring your first integrations, and connecting your entities — services, infrastructure, teams, and more — with Cortex. After you’ve followed these steps, reach out to the Cortex team with any questions you have.

Need additional guidance?

To ensure a smooth implementation, partner with Cortex Professional Services (PS) for expert guidance and hands-on assistance with data modeling, entity ownership, and more. Reach out to [email protected] to learn how we can support your implementation and adoption journey.

Looking for a quick introduction to Cortex? Check out the .

Getting started in Cortex

When you first log in to your Cortex workspace, you are prompted through the steps of configuring your account and connecting data. See the video below for a demonstration:

Following the streamlined onboarding

Step 1: Log in and configure your workspace

You can access your Cortex workspace using the workspace ID provided to you by your Cortex team. Or, if you are deploying Cortex on-premises, the Cortex team will provide you with access to an installer.

SSO setup

Your initial login will be configured to use Google for Single Sign-On (SSO).

If you do not use a Google domain email address, work with the Cortex team on initial access and .

Add users

Step 2: Configure integrations

Before importing entities, you may want to think through your data modeling approach. Learn more below under .

You will be prompted to connect your tools:

Integrate with version control and teams

Version control

Step 3: Configure identity mappings and review services

Configure identity mappings

After connecting version control and teams, you will be prompted to for users, allowing you to match user identities across different systems.

Review mapped services

Cortex will recommend connections for your services. For example, if you connected PagerDuty, Slack, and Jira, then Cortex will recommend an entity's on-call service, Slack channel, and Jira project. You can change these details before confirming the import.

Step 4: View catalog or create a Scorecard

Congratulations - you are on the path to achieving engineering excellence with Cortex!

After completing the onboarding flow, you will be prompted to create your first Scorecard or to .

For additional information and resources, see the section below: .

Create your first Scorecard

You can use to establish best practices, track migration, promote accountability among teams, enforce standardization across entities, or define maturity standards.

Additional information

Data modeling

Before importing entities, consider your data modeling approach.

Identify the key entities that you want to represent in your Cortex catalogs.
- Read more about entities and the default entity types in the .
If needed, .

Tracking ownership with teams

serve as both an entity representing your organization in Cortex and as owners for entities in the catalogs. Ownership is a core use case of Cortex, as organizations seek to establish clear ownership of services, data, and other entities. Ownership also drives which users will receive notifications from Cortex, including alerts for on-call changes, when an entity is re-evaluated and its Scorecard changes, and more.

Teams can be assessed via , interact with integrations, and leverage custom data. They can also be configured in a hierarchy. In addition, team data can be tracked and analyzed in . You can manually create teams in Cortex or you can pull in teams from integrations.

Go further

Create to segment your entities.

Explore additional resources

Now that you’ve completed your first steps, we recommend exploring the following topics:

: You can manage your entities directly in the browser-based Cortex workspace, or you can follow a GitOps approach. We recommend starting in your Cortex workspace, then if desired, switching to GitOps before a broader rollout at your organization.
: Automate running sequential actions and development workflows based on contextual data that exist inside your workspace.
- Reach out to your Customer Success Manager for more information on enabling this feature.

Go further

Ready to learn more? Check out the to explore courses across core product areas and build expertise on the Cortex platform!

Connect data

Overview: Ingesting data into Cortex

Getting your data into Cortex is the foundation for data-driven decision making and improved accountability across your teams.

By connecting your services, repositories, teams, infrastructure, and more, Cortex can provide a complete, up-to-date view of your ecosystem. This powers the ability to track ownership of entities, enforce production readiness and other standards via Scorecards, standardize common developer Workflows for entities, and more. It also ensures your developers can find what they need, understand how everything fits together, and make better decisions at every stage of the development lifecycle.

How Cortex handles data modeling

Some internal developer portals start with too much rigidity or too little guidance. A rigid platform prevents you from correctly modeling relationships between key entities in your environment. An overly modular approach requires you to rebuild business logic for each use case, resulting in the same fractured experience you intended to solve for.

Cortex solves for this by giving you the flexibility to mirror your unique business logic across your data, and the structure to persist that logic everywhere:

Data models are foundational, but configurable.
Integrations are available, but extensible.
Experience is complete, but customizable.

With consistent developer workflow and a configurable experience, it's easier to accurately represent your services and infrastructure in Cortex. See an .

Need assistance with data modeling? To ensure a smooth implementation, most of our customers partner with Cortex Professional Services (PS) for hands-on assistance, including expert guidance on data modeling. Contact [email protected] to learn more.

Connect your data

The pages in this section cover the following topics:

How to import and manage entities
- An entity is an object that represents a software construct. Entities are represented in YAML and can pull in data from integrations. Entities can have dependencies, can be set up in a hierarchical structure, and can be connected to other entities through entity relationships. Entity standards can be ensured through Scorecards. Learn more in .
How to create and manage catalogs

Want to learn more? Check out the Cortex Academy course on , available to all Cortex customers and POVs.

Cortex data concepts reference table

Learn about the basic data concepts for Cortex below.

Concept

Definition

YAML linter tool

The Cortex YAML linter validates your cortex.yaml files for both general YAML syntax and Cortex-specific schema requirements, helping prevent ingestion of invalid or incomplete data into the platform.

This page references the built-in tool in the Cortex UI under Tools > YAML Linter. Note that there is also a linter tool built in to the Cortex GitHub app, which runs checks on pull requests when you use GitHub in a GitOps workflow.

Using the YAML linter

Validate a YAML file in the Cortex UI

In Cortex, navigate to .

Paste your YAML into the text editor, then in the upper right, click Validate YAML.
At the bottom of the screen, you will see a status banner:
- If the format is correct: You will see a message stating that the YAML is valid:

Validation scope

The linter checks for valid YAML structure and ensures required Cortex fields (like openapi version, x-cortex-tag, etc.) are present. If a required field is not present, this results in an error and the YAML does not pass the linter check.

The linter also validates the format of Cortex-specific blocks (e.g., x-cortex-groups, x-cortex-firehydrant) but does not verify the correctness of referenced data (such as whether a group or monitor ID actually exists). If there is an issue for a Cortex block, such as a block that doesn't contain a value, you will see a warning; however, the YAML will still pass the linter check.

If you submit a file with templating syntax (e.g., Jinja or cookiecutter variables like {{ variable }}), the linter will fail because these are not valid YAML until rendered. Only fully rendered YAML files will pass validation.

If the YAML is invalid or missing required fields, the linter will return errors indicating the line and nature of the problem.

GitOps settings for the linter tool

If you are using GitHub in a workflow, you can adjust settings related to the linter. See for more information.

Adding entities

In this section, learn how to add each of the built-in entity types and dependencies, and how to create a custom entity type and add custom entities:

Add services
Add domains

Want to learn more? Check out the Cortex Academy course on , available to all Cortex customers and POVs.

Add services

Services are a default entity type in Cortex, used for entities such as microservices, libraries, components, etc – essentially any codebase-like module.

View services

To view services, click Catalogs > Services from the main nav.

When you open the Services page, you'll see tabs labeled Mine and All, which denote services you own and all services visible to you in your Cortex workspace.

Grouping entities

Groups are a tagging system that can be used to group a set of together, enabling a variety of use cases including:

Tagging
- Use groups to segment entities.

Viewing discovered entities

You may have over a hundred repositories in GitHub, and eventually, you will likely import all of them into Cortex. This much information can make it difficult to know at a glance that all repositories are accounted for and all new projects are being imported into and tracked within Cortex.

The discovered entities list (formerly known as the discovery audit) guarantees confidence in your catalogs by listing all changes that Cortex has detected. Cortex compares everything that exists within the system to what it discovers within your git tool, APM tool, Kubernetes cluster, and other crucial integrations, giving you insight into changes happening across your environments.

View the discovered entities

You can view discovered entities under Catalogs > All entities in the .

On this page, see a list of recent changes in your environment that aren't yet reflected in Cortex, including newly created repositories, services, and resources discovered from your integrations.

Filter the discovered entities list

The first time you view the discovered entities list, there may be a lot to review. To narrow the scope of your list and start with changes that are the highest priority for you, search or filter the list by integration or entity type.

To search, enter text into the search bar in the upper right corner of the list.
To filter, click Filter in the upper right corner of the list. Select your filtering criteria, then click Apply.

Importing and removing entities

Cortex will tag detected changes to signify whether an entity or repository has been discovered, archived, or deleted.

You can import, delete, or ignore the entities listed in Discovery audit.

Import discovered entities

If Cortex detects a new service or resource, you can import it directly from this page:

Click + in the row containing the new entity:
Configure the entity details.
- For detailed instructions on creating a new entity, see the relevant docs page for the entity type: ,

Delete discovered entities

If Cortex no longer detects a given entity, you also have the ability to delete that entity or repository directly from this page:

Click the trash can icon in the row containing the entity:\
In the confirmation window, click Delete.
- The confirmation window gives you the opportunity to review all potentially impacted services before deleting, so you don’t unintentionally remove something from Cortex.

Ignore discovered entities

If an event appears within the discovered entities list, but is irrelevant — for example, a test project that doesn’t need to be imported into Cortex — you can ignore it:

Click the hide icon in the row containing the entity:\

The entity will now appear in the Ignored tab. The ignore action is persistent, so the event won’t appear again within the discovered list.

From the ignored list, you can move the entity back to the Discovered tab by clicking the eye icon.

Troubleshooting and FAQ

Why do I not see all of my services from my APM provider in the discovered entities list?

Cortex supports a subset of integrations within the discovered entities list:

Datadog
ECS
Version control (Azure DevOps, Bitbucket, GitHub, GitLab)
Instana

Archiving entities

Archiving an entity allows you to remove it from active use while preserving its history and context.

You can configure Cortex to automatically archive entities when they are no longer detected in your integrations or when their corresponding YAML files are deleted. We recommend enabling this feature to keep your data up-to-date without manual effort. Learn more in .

It's also possible to manually archive entities in the Cortex UI or via the Cortex API, as described below.

How to archive and unarchive entities

Relationship graph

In Cortex, use the relationship graph to better understand:

Dependencies
- Visualize how entities relate to one another

Using On-call Assistant for incidents

Cortex’s On-call Assistant leverages the PagerDuty integration to automatically surface the most vital information about entity health and metadata when an incident is triggered. On-call Assistant notifies the user(s) responsible for an incident via Slack, including information about the affected entity, recent deployments, ownership, and links to get more details, including dependencies, runbooks, and logs.

On-call Assistant helps users respond to incidents in real time, simplifying the incident response process and helping to reduce MTTR. It can also drive adoption and engagement through links to the catalogs and Scorecards.

How On-call Assistant works

Notifications

When an incident is triggered in PagerDuty, On-call Assistant will notify relevant users via . This alert will include information about the affected entity, deploy details, and ownership information so an on-call team member can reach out to other relevant parties about the incident.

Developers can access entity information that is already in Cortex directly from the Slack notification to quickly resolve issues. On-call Assistant provides a direct link to view the alert in PagerDuty, so you can also quickly access the incident from its source.

View runbooks and other links

View dependencies

Enabling On-call Assistant

Prerequisites

You must have the configured.
You must create an in PagerDuty with the Write permission.
- If you create an API key with Read-only permissions, you will also need to configure a webhook to get the On-call Assistant working.

Enable On-call Assistant in Cortex

To enable, navigate to and toggle on Enable On-call Assistant.

If you added PagerDuty API key with Write permissions, enabling the On-Call Assistant will create a webhook subscription in PagerDuty, allowing Cortex to receive events when incidents are triggered, escalated, or unacknowledged.

Configure a webhook for read-only API keys

If you added PagerDuty API key with Read-only permissions, you must also configure a webhook subscription.

In Cortex, on the , click Configure webhook.
Copy the webhook URL. You will need this in the next steps.
In PagerDuty, add a new webhook.

Manage entities using Cortex Terraform Provider

The acts as a bridge between Terraform and the Cortex platform, allowing you to manage and provision Cortex resources (such as , , and ) using Terraform’s infrastructure-as-code approach. The provider is a wrapper around the public Cortex API and is maintained by the Cortex team, with shared ownership and ongoing support for customers who use it.

Cortex integrates with Terraform in two different ways, depending on whether you want to manage Cortex resources using Terraform, or use Cortex to drive Terraform runs for your infrastructure.

To learn about using Cortex to drive Terraform runs, see .

BambooHR

Overview

is a Human Resources Information System (HRIS) solution that allows you to define organizational membership. Integrate Cortex with BambooHR to automatically sync team memberships, giving you insight into entity ownership.

CircleCI

is continuous integration and continuous delivery platform that can be used to implement DevOps best practices.

Integrating CircleCI with Cortex allows you to:

in Cortex
Create that track progress and drive alignment on projects involving your CircleCI data

Coralogix

Overview

Coralogix is an observability and security platform. Integrate Cortex with Coralogix to drive insights into alerts.

After setting up the integration, relevant alerts from Coralogix will appear in your entity pages. While viewing an entity, click Integrations > Coralogix in its sidebar to view the list of alerts.

How to configure Coralogix with Cortex

Prerequisites

Before getting started, generate a .

Step 1: Configure the integration in Cortex

In Cortex, navigate to the
- Click Integrations from the main nav. Search for and select Coralogix.
Click Add configuration.

How to connect Cortex entities to Coralogix

Discovery

By default, Cortex will use the entity name or (e.g. my-service) as the "best guess" for the Coralogix alert application name. For example, if your entity name is "My Service" and your Cortex tag is “my-service”, then the corresponding application name in Coralogix should be “My Service” or "my-service".

If your Coralogix application names don’t cleanly match the Cortex tag, you can override this in the Cortex entity descriptor.

Editing the entity descriptor

Coralogix alerts can be listed in the Catalog under the Coralogix section. We support application names in the YAML for pulling Coralogix alerts.

Using the Coralogix integration

Scorecards and CQL

With the Coralogix integration, you can create Scorecard rules and write CQL queries based on Coralogix alerts.

See more examples in the in Cortex.

Check if Coralogix application is set

Check if entity has a registered Coralogix application in its entity descriptor. If no registration exists, we'll try to automatically detect which corresponding Coralogix application is associated with the entity.

Definition: coralogix (==/!=) null: Boolean

Example

You could write a rule that checks whether an entity has a Coralogix application set:

Alerts

List of alerts, filterable on status

Definition: coralogix.alerts(): List

Example

You could write a rule that checks whether an entity has at least 3 alerts:

You could write a rule that checks whether an entity has no alerts and status triggered:

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

Grafana

is an open-source observability platform that provides monitoring and visual analytics for application performance. Use Grafana to your data, from bar charts and histograms to pie charts and geomaps.

Integrating Grafana with Cortex allows you to:

in Cortex
Create that include rules related to Grafana dashboards

Humanitec

offers products to build on top of your Engineering Operations Platform for containerized workloads.

Integrating Humanitec with Cortex allows you to run a Humanitec pipeline directly from Cortex.

How to integrate Humanitec with Cortex

Instana

Overview

is a tool used for monitoring and performance management. Integrate Instana with Cortex allows you to pull in services from Instana.

Lightstep

Overview

, formerly known as Lightstep, helps you detect changes in your logs, metrics, and traces. Integrate Lightstep with Cortex to drive insights into SLOs and latency and error rate metrics.

Syntasso Kratix Enterprise (SKE)

is an enterprise-grade platform orchestrator built on , an open-source framework for building internal developer platforms on Kubernetes. SKE enables platform teams to deliver self-service infrastructure and services through composable, API-driven abstractions called .

Integrating SKE with Cortex allows you to:

Dynamically create in Cortex that map to Kratix Promises, enabling developers to self-service Kubernetes resources
Register and update entities in Cortex that represent Kubernetes resource definitions managed by SKE

Standardize

Scorecard rule filters

Rule filters allow you to apply a Scorecard rule only to specific entities. It's helpful to use a rule filter when a rule doesn’t apply to every entity or every group.

You can apply a filter in the Cortex UI while building out your Scorecard rules, or you can write a custom CQL query to filter your rule.

How to set up a Scorecard rule filter

When , click and expand Restrict rule to specific groups.
Select the relevant groups to include or exclude.
- Or, if you prefer to write a CQL query, click Switch to CQL under the group fields.
Click Save rule.

See the for instructions on the overall process of creating a Scorecard.

You can also edit an existing Scorecard to add a filter to a rule.

Example Scorecard rule filter

For example, let's say that entities in the "billing" group don't need to have SLOs set up properly.

In the rule "Has SLOs set up," apply a filter to exclude the "billing" group:
After saving the rule with the excluded group, view the Scorecard. Any entities in the "billing" group will not be scored against the "Has SLOs set up" rule. The rule will not appear as a passing or a failing rule; it will not be included at all.

View the filter on the Scorecard home page

Once a rule filter has been applied, you can still see it on a Scorecard’s home page. Navigate to the Rules tab and expand the rule to confirm it has been exempted.

Improve

Cortex MCP Prompt Library

The teams getting the most value from the MCP have developed prompt patterns that fit naturally into their workflows. We've collated the most effective prompt patterns we've seen across different roles and workflows to build the list of prompt examples below. Think of it as a starting point for building your own prompt library, one that fits the specific needs of your team and organization.

Prompts for engineers

The best prompts for engineers eliminate context switching at the moments when focus matters most.

Understanding unfamiliar services

Tell me about the [service-name] service, including who owns it, what it does, and where the documentation lives.

This query pulls everything from your at once. You get ownership, a description of what the service does, links to documentation, and the team's communication channels. Instead of hunting across wikis, Slack, and GitHub, you have the context you need to start working.

Show me the dependencies for [service-name]. Which services does it depend on, and which services depend on it?

Understanding the dependency graph is critical when planning changes with potential downstream impact. This prompt reveals what might break and which teams need to be in the conversation before you make a move.

Which Scorecard is [service-name] failing, and what do I need to fix? This prompt transforms maintenance from reactive to proactive. Instead of waiting for your platform team to flag issues or discovering gaps during an incident, you see exactly which Scorecards are failing and what specific checks need attention. You can address production readiness, security, or documentation gaps on your own schedule, before they become blockers.

During code review

Check the Scorecards for [service-name]. Does this service meet our production readiness standards?

Starting here when you're unfamiliar with a service changes the conversation. If the service is already failing key Scorecards, you'll know which questions to ask and where the risks actually are.

Show me recent incidents for [service-name].

Past incidents tell you where a service has been fragile. When you see that history before approving changes, you can evaluate whether the PR addresses root causes or introduces new failure modes.

Tracking your work

What Initiatives are assigned to the Engineering team, and what's the status of each?

This condenses your weekly status check into a single query. Run it at the start of your week or during standup and you get a complete picture of your Initiative commitments and their current state. Instead of navigating to the Cortex web UI or mentally tracking what you're responsible for, you see everything assigned to you without leaving your IDE or chat interface.

Show me the details for Initiative [initiative-name]. What still needs to be done?

When you're ready to make progress on a specific Initiative, this surfaces the remaining tasks and their current state. You know exactly what's left and where to focus.

Prompts for engineering leaders

The best prompts for engineering leaders are about trends, patterns, and the health of systems; these prompts surface the signals that inform strategic decisions.

Understanding team health

Show me MTTR trends over the last quarter. How has it changed?

Incident response either gets faster or it doesn't. If MTTR is climbing, something in your system has degraded. This prompt gives you the trend line and a clear signal to investigate process or tooling gaps.\

Which teams have the most failing Scorecards right now?

This surfaces which teams are struggling with compliance or buried in technical debt. The answer reveals where support and resources should flow. Instead of waiting for teams to escalate problems or discovering issues through incident patterns, you have a clear view of which teams need help right now. That visibility lets you have proactive conversations about priorities, staffing, or process changes before compliance gaps become production incidents.

Tracking AI adoption impact

How has AI adoption impacted MTTR and deployment frequency over the last quarter?

This connects AI spending directly to concrete business outcomes. When you run this query, you're comparing metrics before and after AI tool adoption. If MTTR dropped and deployment frequency increased after rolling out Copilot or similar tools, you have hard data to justify continued investment and potentially expand the rollout.

If the metrics haven't moved despite adoption, you need to ask different questions: Are teams actually using the tools? Do they need more training? Are the tools solving the wrong problems? The comparison gives you evidence to either double down on your AI strategy or course-correct before spending more.

Which teams have adopted AI tools, and how does their velocity compare to teams that haven't?

Spotting bottlenecks

Where are the biggest bottlenecks slowing down the Checkout team?

When a team's velocity drops unexpectedly, this surfaces the patterns that sprint metrics miss: services with high incident rates, missing documentation, or blocked Initiatives. You get signal, not speculation.

Show me services with the highest incident rates in the last month.

High incident rates point to deeper reliability issues. This tells you where to invest in stability before those services become everyone's problem.

Prompts for platform teams

The best prompts for platform teams show you where adoption is working, where it's stalled, and which teams need support.

Tracking standards adoption

Show me how teams are performing on the Production Readiness Scorecard. Which services are failing?

This gives you a complete view of compliance across the organization without manually checking each team's services. You see which teams are struggling to meet standards and which services create the most risk. The answer tells you where to focus your enablement efforts and which conversations to prioritize. Instead of discovering compliance gaps reactively during incidents or audits, you have a real-time picture of organizational health.

Which services don't have runbooks, and who owns them?

Missing runbooks are incidents waiting to happen. When something breaks at 3 AM, responders need clear guidance to restore service quickly. This prompt shows you exactly which services lack that critical documentation and who's responsible for creating it.

Managing Initiatives

Which services are blocking completion of the [initiative-name] Initiative?

When an initiative stalls, this identifies exactly which services or teams are holding things up. Now you know where to focus your attention and who needs support.

Show me progress on the Kubernetes Migration Initiative. Which teams are on track, and which are falling behind?

This surfaces real-time status across every team involved in the initiative without sending Slack messages or requesting manual updates. You get an immediate picture of which teams are making progress, which are stuck, and which haven't started. That visibility lets you direct support and resources to the teams that need it most, rather than treating every team the same or discovering delays only when deadlines slip.

Gap analysis

Which critical services are missing SLOs?

SLOs are foundational to reliability. This scopes the gap and identifies which services should be prioritized based on business impact before an incident forces the conversation.

Show me services without proper monitoring. What's missing?

Monitoring gaps are blind spots waiting to bite you during incidents. This surfaces which services need instrumentation and what specific monitoring is absent, so you can build a targeted remediation plan.

Prompts for SREs

The best prompts for SRE teams focus on proactive incident prevention or responding quickly to a incident in progress.

During incidents

Who's on call for [service-name] right now, and when was it last deployed?

The first question in almost every incident. One prompt gets you the owner, the on-call contact, and recent deployment history. You can escalate or start investigating without hunting through five different systems.

Show me recent deploys and changes for [service-name].

Most incidents trace back to recent changes. This gives you a timeline pointing to likely culprits so you can focus your investigation on what actually changed.

Show me the incident readiness Scorecard for [service-name]. Are we prepared to respond?

Proactive reliability work

Show me services with the highest MTTR in the last month.

High MTTR means certain services are consistently difficult to debug or restore. This tells you where reliability improvements will have the biggest impact on your time and your team's sanity.

Which critical services have had the most incidents recently?

Frequent incidents signal deeper problems that incident response won't fix. This helps you spot patterns and prioritize services that need architectural investigation, not just patches.

Show me services that are missing runbooks or escalation procedures.

Prompts for security engineering teams

The best prompts for security engineers help them monitor, audit, and enforce security posture across services.

Compliance monitoring

Which services are failing our SOC-2 Scorecard?

This gives you a view of SOC-2 compliance across the organization without manually checking each team's services. The answer tells you where to focus your efforts and which conversations to prioritize. Instead of discovering compliance gaps reactively during incidents or audits, you have a real-time picture of organizational health.

Proactive security health

Which services have no on-call rotation configured in PagerDuty?

When incidents happen, it's important to have on-call information readily available to ensure a fast response time.

What is the progress on my Security Initiative and what are some quick wins?

This surfaces real-time status for an Initiative without requesting manual updates from team members. You get an immediate picture of which entities are making progress and which are not. That visibility lets you direct support and resources to the teams that need it most.

Prompts for Product Managers

The best prompts for product managers focus on visibility, delivery health, and compliance to engineering standards that affect product velocity and quality.

Delivery and health metrics

Which services in the [product area] domain are failing their DORA metrics?

If you organize your data in Cortex by product area, Product Managers can get quick insight into which services in that product area domain are failing DORA metrics.

Initiatives and adoption tracking

Give me all currently active initiatives and ideas for how I can improve them

This helps product managers track progress on key initiatives and ensure teams are moving toward business goals.

Give me links to the docs and runbooks for [repository]

This helps product managers who need to find the documentation for a feature's related repository.

Adding external documentation

Cortex is your source of truth to external docs. Instead of digging through wikis and other resources, you can aggregate docs on the relevant entities in Cortex in the following ways:

Adding links to an entity
Displaying Swagger, OpenAPI, or AsyncAPI specs on an entity

If you have configured the , you can use Slack Bot commands to .

View links on an entity

Links appear on an entity details page in the Links & docs section:

Add links to an entity

On entities, you can add links to docs, runbooks, tech specs, dashboards, and more.

Before editing an entity via the UI, make sure that UI editing is enabled under .

In Cortex, navigate to an entity.
In the upper right corner of the entity details page, click Configure entity.
Click Links on the left side.

You can quickly look up links using the .

Git-driven markdown docs

Cortex automatically embeds markdown files from the docs folder of your repo or from the root directory. If Cortex detects relevant files, these docs show up under the Links & docs page in an entity's sidebar.

Cortex uses the for rendering the documents.

Documentation types

When , Cortex supports embedding OpenAPI or AsyncAPI specs, embedding specs from your repository, adding relative links to a repository that isn't associated with the entity, and embedding charts (from Datadog, Grafana, New Relic, or other sources). You can also create a custom type while .

Cortex supports displaying Swagger/OpenAPI or AsyncAPI specs for each entity in the API explorer on an . You can also authorize your API and run queries directly in the API explorer.

OpenAPI docs

You can use your file as an OpenAPI spec file. As mentioned in the , the entity descriptor file extends the OpenAPI spec, so you can implement the spec directly in this file.

You may have existing or external specs you want to display in the API explorer from sources such as Swagger Hub or GitHub Raw URL. Add these to the JSON or YAML spec file under the block, with the type openapi.

Embed specs from a git repository

If you have specs checked into your git repository, you can embed it by adding it as a relative URL with type openapi. For example:

Relative links in another repo

In addition to providing the ability to link to specs within the service repo, Cortex also allows for links that reference other git repositories that aren't necessarily associated with your entity but still within your organization.

Power users can also specify a branch parameter between the second and the third colon separated group, in the form github:org/repo:branch:path/to/file. If this parameter is omitted, we will use the repository's default branch.

Relative link YAML examples

Adding OpenAPI via the Cortex API

Using your , you can also send your OpenAPI JSON or YAML file to the public /api/v1/catalog/documentation/openapi for each of your entities. One API doc per entity can be uploaded and it will automatically show up as an API Doc entry in the dropdown in the API explorer.

The request body is the following, in JSON format. See API Docs for authentication details.

Field

Type

Description

Converting YAML or JSON to string You can use a lightweight utility like jq to take your yaml/json and generate a string that can be used for your request:

e.g. $(cat my_file.yaml | jq -Rsa)

AsyncAPI docs

If you have specs checked into your Git repository, you can embed it by adding it as a relative URL with type async_api. For example:

Embedded dashboards

Cortex supports embedding charts from , , or directly into an entity for quick access. To view embedded charts, click the Dashboard page in the .

You can add charts to an entity's YAML:

The type field is an optional enum of three types: datadog, grafana, or newrelic.
The url field is the src value for the iframe

Note that you can embed individual charts, not dashboards.

If you're using Grafana and seeing errors in your Grafana embeds, make sure your Grafana instance .

Embed content from other sources

It is possible to display content from a source other than Datadog, Grafana, or New Relic. To do this, do not specify an option for the type field. The URL you add must be publicly accessible or provide cross-platform authentication for Cortex to view and display the iframe. For example, if the content is accessible via VPN, then you should be able to view it in Cortex while on the VPN.

Accessing docs links via Slack

If you have configured the , you can use commands to list documentation directly in Slack:

/slack links <tag-or-id> to list all documentation links for an entity
/slack links [type] <tag-or-id> to list specific types of documentation links for an entity

The type corresponds to the type of documentation (e.g., openapi, documentation, etc.). Replace <tag-or-id> with the .

For example:

To list all documentation links for an entity with ID en29f044598b112345, you could run the following command in Slack: /cortex links en29f044598b112345
To list the OpenAPI specs for an entity with tag plugin-extension, you could run the following command in Slack: /cortex links openapi plugin-extension

The Slack Bot links command works for any docs links listed under x-cortex-links. Note that it does not list the listed under x-cortex-dashboards.

Azure Resources

Azure Resources provides on-demand cloud computing platforms and APIs. Cortex uses the Azure Resource API to pull in resource details and import entities such as SQL servers, virtual machines, virtual networks, load balancers, and others.

Integrating Azure Resources with Cortex allows you to:

Automatically import entities and track ownership of entities
Create Scorecards to drive alignment and track progress on projects involving resources from Azure

How to configure Azure Resources with Cortex

Prerequisites

Before getting started, you will need the following information. These can be found in the Enterprise applications section of Azure:

Azure tenant ID
Azure client ID and
Azure subscription ID

Configure the integration in Cortex

In Cortex, navigate to the .
- Click Integrations from the main nav. Search for and select Azure Resources.
Click Add configuration.

After saving your configuration, you are redirected to the integration settings page in Cortex. In the upper right corner of the page, click Test configuration to ensure Azure Resources was configured properly.

How to connect Cortex Entities to Azure Resources

For Azure Resources, Cortex replaces non-alphanumeric characters in entity names with a space. For example, resource_1 would become resource 1.

For the , Cortex replaces non-alphanumeric characters with - and lowercases the letters. If multiple special characters appear together in a tag, Cortex replaces the group of characters with only one -. For example, mY_e%ntity#$_tag would become my-e-ntity-tag

Enable automatic discovery of Azure Resource entities

You can configure automatic import from Azure:

In Cortex, navigate to the .
Next to Auto import from AWS, Azure, and/or Google Cloud, click the toggle to enable the import.\

Discover ownership for Azure Resources

Cortex can automatically discover ownership for your Azure resources. To configure this:

Make sure that your Azure resources have a tag matching the x-cortex-tag of the corresponding Cortex team
Enable the “Sync ownership from Azure” toggle in the in Cortex.
- By default, Cortex looks for the owner

Cortex syncs ownership from Azure Resources every day at 6 a.m. UTC.

Define a dependency

Cortex automatically discovers dependencies between your services and resources by scanning for resources with specific Azure Resources tags. By default, a service will have dependencies on any Cortex resource that has a corresponding Azure Resources resource with Azure Resources tag key = "service" and tag value = the service's Cortex tag.

On the , you can customize the tag key names for dependencies.

For more information on defining dependencies, please see the .

Import entities from Azure Resources

See the for instructions on importing entities.

Editing the entity descriptor

You can associate a Cortex entity with one or more Azure Resources entities. Cortex will display those Azure Resources entities' metadata on the Cortex entity page.

When the entity is connected to Azure, the entity YAML will look like the following:

Using the Azure Resources integrations

Scorecards and CQL

With the Azure Resources integration, you can create Scorecard rules and write CQL queries based on Azure Resources details.

See more examples in the in Cortex.

Get Azure Resource details for entity

Get Azure Resource details for an entity.

Definition: azureResource.details(): Object

Examples

In a Scorecard, you can write a rule to make sure an entity has Azure Resource details:

Make sure an entity has an environment tag:

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

Background sync

Cortex conducts a background sync of Azure Resources every day at 00:00 a.m. UTC and an ownership sync every day at 6 a.m. UTC.

FAQs and troubleshooting

Why is the Azure resource type microsoft-resources-subscriptions-resourcegroups not pulling in Azure Resource details?

Cortex pulls from the Azure Resource API, but not from the Azure Resource Group API. If you would like to submit a feature request for support of Azure Resource Groups, please contact our customer engineering team.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

ClickUp

ClickUp is a project management tool that combines tasks, document collaboration, and issue management in a single platform.

Integrating ClickUp with Cortex allows you to:

View task information directly on entity pages in Cortex
Create ClickUp tasks based on Initiatives directly from Cortex
Map ClickUp identities to users in Cortex
View open ClickUp tasks in the
Create that track progress and drive alignment on projects involving your ClickUp tasks

How to configure ClickUp with Cortex

Prerequisites

Before getting started:

Create a .

Configure the integration in Cortex

In Cortex, navigate to the .
- Click Integrations from the main nav. Search for and select ClickUp.
Click Add configuration.

If you’ve set everything up correctly, you’ll see the option to Remove Integration in settings.

You can also use the Test configuration button to confirm that the configuration was successful. If your configuration is valid, you’ll see a banner that says “Configuration is valid. If you see issues, please see documentation or reach out to Cortex support.”

Note that mapping options will not appear in Cortex for users who have not finished user registration in ClickUp. If a user is partially registered, Cortex will filter them out of the mapping page.

How to connect Cortex entities to ClickUp

Auto discovery of spaces, folders, and tags

By default, Cortex will use the (e.g. my-entity) as the "best guess" for ClickUp space, folder, or tag. For example, if your Cortex tag is my-entity, then the corresponding space, folder, or tag in ClickUp should also be my-entity.

If your ClickUp space, folder, or tag don’t cleanly match the Cortex tag, you can override this in the Cortex entity descriptor.

Editing the entity descriptor

You can map any number of ClickUp spaces, folders, and tags to a Cortex entity. Spaces and folders can be mapped by using either ID or name.

You can find your folder ID or space ID in your ClickUp URL: https://app.clickup.com/:workspace_id/v/f/:folder_id/:space_id.

Mapping spaces by ID or name

When mapping spaces, you can use the ID or name for the space.

These blocks share the same fields:

Field

Description

Required

Mapping folders by ID or name

When mapping folders, you can use the ID or name for the folder.

Field

Description

Required

Mapping by tags

Cortex also supports mapping entities to ClickUp .

Field

Description

Required

Specify a list for Initiative issues

You can also specify a ClickUp list to store all issues created via Cortex Initiatives. If Use list defined in entity YAML is toggled on in the Initiative issue creation form, Cortex will automatically create tasks in the specified list for a given entity.

If a list is not specified in an entity's YAML and Use list defined in entity YAML option is toggled on in the initiative issue creation form, Cortex will attempt to create a list in the mapped space or folder above.

Define one of these following blocks in an entity descriptor to specify a list for Initiative issues.

Specify list by ID

Field

Description

Required

Specify list by name

Identity mappings

Cortex maps email addresses in your ClickUp instance to email addresses that belong to team members in Cortex. When is set up, users will be able to see their personal on-call status from the developer homepage.

Note that mapping options will not appear in Cortex for users who have not finished user registration in ClickUp. If a user is partially registered, Cortex will filter them out of the mapping page.

Using the ClickUp integration

Entity pages

Integrations - ClickUp

Tasks detected from your ClickUp instance will populate on the Issue tracking page in the entity's sidebar. Each row will show the following information (when available in ClickUp):

Task name (hyperlinked to task in ClickUp)
Project
Assignees
Priority

Initiatives

Initiatives allow you to set deadlines for specific rules or a set of rules in a given Scorecard and send notifications to users about upcoming due dates.

From the Issues tab of an Initiative, you can automatically .

Dev homepage

The ClickUp integration enables Cortex to pull information about tasks into the Dev homepage. You can find open tasks assigned to you under the .

Issues are refreshed every 5 minutes, or you can click Refresh ClickUp tasks to manually refresh issues.

Scorecards and CQL

With the ClickUp integration, you can create Scorecard rules and write CQL queries based on ClickUp tasks.

See more examples in the in Cortex.

List of ClickUp tasks

Get ClickUp tasks meeting the given filter criteria.

Assignees
Created at

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

Create a task from an Initiative issue

Initiatives allow you to set deadlines for specific rules or a set of rules in a given Scorecard and send notifications to users about upcoming due dates. You can create a ClickUp task from a failing rule in an Initiative. Learn more in .

The issue configuration will apply to all entities that meet the filter criteria. Once an entity is passing the rule, Cortex will automatically close the associated ticket.

Background sync

Cortex conducts a background sync of ClickUp identities every day at 10 a.m. UTC. Pull requests and issues are refreshed every 5 minutes.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Microsoft Teams

Microsoft Teams is a communication and collaboration platform designed to promote greater productivity through messaging and file-sharing tools.

Integrating Microsoft Teams with Cortex allows you to:

Quickly find the relevant MS Teams channel to communicate with the right team, allowing for easier collaboration on projects and faster communication during an incident
- MS Teams channels appear in the "Owners" block on entity details pages.
Receive actionable directly in MS Teams for Scorecard changes, upcoming Initiatives, weekly summaries of entity performance, and more
Create that enforce standards such as having an MS Teams channel set for projects

How to configure Microsoft Teams with Cortex

This page describes how to integrate Microsoft Teams with Cortex cloud. If you're using a self-managed Cortex instance, you'll need to follow a manual configuration process to use Cortex's app for Microsoft Teams. Follow the .

Step 1: Configure the integration in Cortex

In Cortex, navigate to the .
1. Click Integrations from the main nav. Search for and select Microsoft Teams.
Click Add configuration.

Permission

Requirements

Description

After authenticating, you will be redirected to the Microsoft Teams integration settings page in Cortex. In the upper right corner of the page, click Test configuration to ensure Microsoft Teams was configured properly.

Step 2: Install the Cortex app for Teams through Microsoft AppSource

On the in Cortex, click the link.
In AppSource, click Get it now. You will be redirected to a page where you can choose whether to download a desktop app or use the web app.

Step 3: Configure a setup policy for Cortex in Teams

MS Teams admins can configure a setup policy for Cortex, can choose whether to automatically download the Cortex app into the personal Teams environments for users, and can choose to pin the app to make it more easily accessible.

If admins do not add a policy to install the Cortex app, then users will need to download the app during setup.

Navigate to the Teams under Teams app > Setup policies.
Click Add to start configuring a setup policy for the Cortex app.
After configuring a policy, navigate to the Installed apps section. Add the Cortex app here.

Limitations

Cortex does not automatically discover MS Teams channels based on a so you must as described below.

How to connect Cortex entities to Microsoft Teams

In order to use this integration's functionality, your MS Teams channels need to be associated with entities in Cortex. Cortex does not automatically discover channels for MS Teams, so you must define them in the .

Editing the entity descriptor

To associate a Microsoft Teams channel with an entity, define a x-cortex-microsoft-teams block in an as shown in the example below.

Defining a Teams channel will provide in Cortex.

Field

Description

Required

Using the Microsoft Teams integration

Viewing Microsoft Teams information across Cortex

: After MS Teams channels are defined in an entity's YAML, MS Teams channels will appear at the top of an entity's overview page in the MST channels block. Channels are also listed in the "Owners" page in an entity's sidebar. You can click any channel name to go directly to that channel in Microsoft Teams.\
You can write CQL queries and Scorecard rules based on Microsoft Teams channels. Learn more under .

Managing Microsoft Teams notifications

After configuring the Microsoft Teams integration, you can choose whether to allow Microsoft Teams notifications for your workspace.

In Cortex under Settings > Notifications, an admin or a user with the Configure workspace notification settings permission can enable or disable the option to receive notifications via MS Teams for each type of notification. Users can also adjust their to control which notifications they receive via MS Teams.

Team, user, and entity MS Teams notifications

Notifications are . DMs and channel notifications are sent from the Cortex app.

User-based notifications are sent to users via a DM from the Cortex app.
Team-based notifications are sent to the MS Teams channel associated with a team.
Entity-based notifications are sent to the MS Teams channel associated with an entity.

Learn more about notifications in the .

Scorecards and CQL

With the Microsoft Teams integration, you can create Scorecard rules and write CQL queries based on Microsoft Teams channels.

See more examples in the in Cortex.

Check if Microsoft Teams channel is set

Checks if a given entity has a registered Teams channel in its entity descriptor.

Definition: microsoftTeams (==/!=) null

Example

For a Scorecard focused on team operations, you can make sure that each team entity has registered a Microsoft Teams channel:

Number of Microsoft Teams channels

Counts the number of Microsoft Teams channels for a given entity.

Channel name
Team name

Total number of members across Microsoft Teams channels registered for the entity

Counts the total number of members across all Microsoft Teams channels registered for a given entity.

Channel name

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

Privacy Policy

We will retain basic Microsoft Teams metadata like user IDs for the period necessary to fulfill the purposes outlined in our unless a longer retention period is required or permitted by law, or where the Customer Agreement requires or permits specific retention or deletion periods.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Defining ownership

Ownership is a core use case of Cortex, as many organizations seek to establish accurate ownership of services, data, and other entities. Accurate ownership is foundational for accountability, incident response, security reviews, compliance, and developer productivity. Without clear ownership, critical issues can go unresolved and services can fall through the cracks.

Avoid inefficient manual processes: Use Cortex's ownership prediction model to solve entity ownership quickly. Cortex automatically predicts entity owners so your developers don't waste time hunting down the wrong person.

Ownership can be defined by accepting Cortex's automated recommendations for ownership, pulled in from third-party integrations, or defined manually in the Cortex UI. Ownership can also be inherited from an entity's fallback or append configuration.

Ownership drives which users will receive from Cortex, including alerts for on-call changes, when is needed on an assigned entity, when an entity is re-evaluated and its Scorecard changes, and more.

Where to view entity owners

When viewing an entity, the owners appear in the metadata bar on the right side of the page:

Click into the team name to view the team's entity page, including a list of members and a list of entities owned by that team.

You can who will be defined as owners for your entities.

View entities without owners

There are a few ways to determine which of your entities in Cortex don't have owners assigned yet:

Use the to see unowned entities and Cortex's automated recommendations for owners
- Learn more about below.
View the , which lists unowned entities

Define owners for entities

Types of owners

You can define owners based on:

A team: The user is a member of a team that is listed as the owner of an entity.
- We recommend setting up teams as owners. If you link a group in your YAML file from a different platform (such as Okta), the members of the team will be automatically updated in Cortex if anyone leaves your organization and is removed from your integrated identity provider.
A user email address: The user is listed as the owner of an entity.

Methods for defining ownership

Owners can be defined:

By accepting Cortex's automated recommendations for owners, based on repository activity
By pulling information from third-party integrations in the
- Ownership can also be inherited via .

Cortex automated recommendations for ownership

Research preview

Not seeing the results you expect? This is an early version of the Ownership tool. Please send feedback and bug reports to us . Note the following considerations:

Ownership inheritance

Instead of defining ownership individually for every entity in your catalog, you can define ownership at the parent entity level and have that pass down to all of the entity's children. You can configure this in the Cortex UI while entity and adding owners to it, or while .

inheritance can also be defined in the entity descriptor under the x-cortex-owners block, as shown in the example below:

The inheritance type for each owner can be one of APPEND, FALLBACK, or NONE. If not set, inheritance is defaulted to NONE.

APPEND: This owner is appended to the list of owners for all child entities.
FALLBACK: In the case where a child has no valid owners, including fallbacks, this fallback will be assigned as the owner. Note that this only applies to a child entity down the hierarchy; it is not the fallback for the parent domain itself.
NONE

Automatic discovery for AWS

Cortex can automatically discover ownership for your AWS resources using their owner tag. To enable this, make sure that your AWS resources have an owner tag matching the x-cortex-tag of the corresponding Cortex team and enable the Sync ownership from AWS toggle in .

You can pull in all resources from AWS, and Cortex syncs those owners automatically based on their tags in AWS, allowing you to easily keep the resource owners up to date.

Cortex syncs ownership from AWS every day at 6 am UTC.

Remove incorrect owners

To remove incorrect ownership in Cortex, the steps depend on how the ownership was added and your current configuration. Expand the tile below to learn more.

Remove incorrect ownership

If ownership was set via YAML (x-cortex-owners):

Update the x-cortex-owners block in your YAML to reference only the correct teams or individuals. Ensure that all referenced teams actually exist in Cortex.

Viewing entity ownership

View your owned entities

See entities you own directly:

To see a list of entities you own directly, navigate to then click the Mine tab:

Child team visibility

See your enties and entities owned by your team's child teams:

To see a list of entities you own directly and entities that are owned by your team's child teams:

Navigate to .

View a team's owned entities

You can filter the entity list by owner:

Under , click the All tab.
In the upper right corner, click Filter.

View entities owned by all teams within a hierachy

View entites owned by the parent and children teams:

Teams can exist within hierarchies. You can view a list of all entities that are owned by the parent team and all children teams in the hierarchy:

Navigate to the parent team's page in Cortex.

Ownership settings in Cortex

Under , there are several settings relating to teams. Read more about these in the .

Datadog

Datadog is an application performance monitoring platform that provides real-time observability into entities, servers, databases, and tools, providing developers with a comprehensive understanding of their infrastructure as well as the ability to identify areas for improvement.

Cortex is uniquely equipped to augment Datadog's tools, providing greater visibility into your entities. In this guide, you'll learn how to set up the Datadog integration to pull in services and metrics for entities:

Monitors
SLOs
Dependencies

How to configure Datadog with Cortex

Prerequisites

Before getting started, make sure you have created the following:

- You can create this in Datadog under Organizational Settings > Applications Key.
- Include the following scopes:

Configure the integration in Cortex

In Cortex, navigate to the .
- Click Integrations from the main nav. Search for and select Datadog.
Click Add configuration.

After saving your configuration, you are redirected to the Datadog integration settings page in Cortex. In the upper right corner of the page, click Test configuration to ensure Datadog was configured properly.

Configure the integration for multiple Datadog accounts

The Datadog integration has multi-account support. You can add a configuration for each additional by repeating the process above.

Each configuration requires an alias, which Cortex uses to correlate the designated with registrations for various entities. Registrations can also use a default configuration without a listed alias. You can edit aliases and default configurations from the Datadog page in your Cortex settings. Select the edit icon next to a given configuration and toggle Set as default on. If you only have one configuration, it will automatically be set as the default.How to connect Cortex entities to Datadog

How to connect Cortex entities to Datadog

Tag discovery

By default, Cortex will use the (e.g. my-entity) as the "best guess" for Datadog tag. For example, if your Cortex tag is my-entity, then the corresponding tag in Datadog should also be my-entity.

If your Datadog tags don’t cleanly match the Cortex tag, you can override this in the Cortex entity descriptor.

Import entities from Datadog

See the for instructions on importing entities.

Editing the entity descriptor

You can use service tags to connect Datadog services to Cortex entities.

Field

Description

Required

These tags are used to "discover" your monitors and SLOs. Cortex will find monitors and SLOs by querying tag:value OR tag:value2 ...

If you want to hard code and/or override discovery, you can define a monitor or SLOs block in the entity descriptor, as described below.

Monitors and SLOs

Adding monitors let you see information about their current status directly from a catalog - via the Monitors column - and under the Operations section of an entity page. You can find your monitors from Datadog's .

The ID of a monitor is found in the URL when you click on a monitor in your Datadog dashboard i.e., https://app.datadoghq.com/monitors/****.

Like monitors, Datadog SLOs can be found in the Operations section of an entity page. You can find the SLOs for your instance on Datadog's .

The ID for the SLO can be found in the URL when you click on an SLO in the Datadog dashboard. For example, https://app.datadoghq.com/slo?slo_id=****&timeframe=7d&tab=status_and_history.

Monitors and SLOs have the same field definitions.

Field

Description

Required

Dependency mapping

Cortex automatically syncs dependencies from Datadog's , using the entity identifier (x-cortex-tag) to map entities found in the Service Map.

The relationships Cortex discovers through the integration will feed directly into the , so you can easily visualize the connections between your entities.

If you have two entities - for example, entity-one and entity-two - that have a dependency edge in Datadog's Service Map, both entities should exist in Cortex with the same identifiers ().

You can override this by where tag = entity and value = entity name in Datadog Service Map.

If the Cortex tag does not exactly match the entity identifier in Datadog, the dependencies will not automatically sync. You can override automatic discovery by defining values in the entity descriptor.

You can connect an APM service for dependency mapping in the entity descriptor:

Using the Datadog integration

View Datadog monitors and SLOs on entity pages

With the Datadog integration, you'll be able to find monitors and SLOs on an entity's home page. High-level information about monitors and SLOs appears in the Overview tab.

Click Monitoring in the entity's sidebar to see more detailed data about both monitors and SLOS. Both sections display tags for Pass, Fail, Warning, and No Data for each monitor or SLO.

The SLOs column shows each SLO, its target(s), the current value for that entity, its status. and the period of time the SLO is being calculated for. For example, if the time listed is "7 days ago," then the SLO is looking at the time range starting 7 days ago to now..
The Monitors column shows the title for each monitor, its query (if available), and its status.

Clicking any block with a nonzero value will open a modal with more detailed information. The monitor modals will list all monitors with the applicable status. The SLO modals will also display targets for each SLO that is passing or failing.

Scorecards and CQL

With the Datadog integration, you can create Scorecard rules and write CQL queries based on Datadog metrics, monitors, and SLOS.

See more examples in the in Cortex.

You can read more about Datadog's and in their docs.

Metrics

from Datadog.

Metric
Timestamp

Monitors

Monitors associated with a given entity via ID or tags. You can use these data to check whether an entity has monitors associated with it, or whether an entity has the right types of monitors.

Created at
Creator email

SLOs

SLOs associated with a given entity via ID or tags. You can use these data to check whether an entity has SLOs associated with it and if those SLOs are passing.

History
ID

Discovery audit

Cortex will pull recent changes from your Datadog environment into the . Here, you can find new entities in Datadog that have not been imported into the catalog - these will have the tag New APM Resource - as well as entities in the catalog that no longer exist in Datadog - these will have the tag APM Resource Not Detected.

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

Background sync

The dependency sync runs automatically each day at 12 a.m. UTC, and can be run manually via the in the .

FAQs and troubleshooting

Can I set a Scorecard rule to monitor Datadog monitors/SLOs based on tags?

Yes, you can that allow Cortex to discover your SLOs and monitors, and use these tags in Scorecard rules.

How does Datadog work with other dependency sources?

When leveraging multiple dependency sources such as Datadog and a catalog entity's YAML, all the sources would be merged together and Cortex will de-duplicate the dependencies.

For example, if an entity YAML indicates X → Y and Datadog indicates X → Y and X → Z, the entity will display two edges presented as X → Y and X → Z.

Workday

Workday is cloud-based enterprise software that unifies finance and workforce management in a single platform. Integrate Workday with Cortex to manage teams and hierarchies, enforce ownership, and drive operational excellence.

How to configure Workday with Cortex

Step 1: Generate an ownership report in Workday

Depending on how you want to manage teams and the corresponding hierarchy, you can choose one of the following options:

Manage teams based on Workday supervisory organizations
Manage teams based on Workday teams

The required fields in the report differ depending on which option you choose. See the tabs below for instructions.

Your report will need the following fields:

email: Email address for employee. Use the same address that employees will use to access Cortex.
employeeId: Unique ID for each employee.

Step 2: Configure the integration in Cortex

In Cortex, navigate to the :
- Click Integrations from the main nav. Search for and select Workday.
Click Add configuration.

Step 3: Configure the report mappings

After saving the configuration, you can configure how you want the fields to map to different elements in Cortex. The options available in each dropdown menu will mirror the fields included when generating the ownership report.

Configure the mappings:
- Employee Attributes: Map report fields that pertain to employees, including the following:
  - Employee ID

Configure the hierarchy fields for auto-importing Workday teams

If you choose to , you must also configure the hierarchy fields mappings:

Field on parent team: The value selected becomes a parent team for value selected in Field on child team.
Is List: Toggle on when an entry for the parent field is a parent to multiple teams.
Field on child team: The value selected is defined as child team.

Note that you must in order to import hierarchies.

How to connect Cortex entities to Workday

Discovery

By default, Cortex will use the (e.g. my-entity) as the "best guess" for Workday team. For example, if your Cortex tag is my-entity, then the corresponding name in Workday should also be my-entity.

If your Workday teams don’t cleanly match the Cortex tag, you can override this in the Cortex entity descriptor.

Note: The team name is case-sensitive and should be exactly the same as in the report's teamDisplayName or teamName field.

Automatic import of teams

You can choose to automatically import discovered teams and team relationships from Workday into Cortex. Before enabling auto import, make sure your Workday report includes the managerEmail field to ensure that team relationships are imported.

Navigate to in Cortex.
Under Enabled identity providers, make sure the box is checked next to Workday.
Under Enable auto import of teams, click the toggle next to Auto import teams to turn this setting on.

The next automatic import will occur when the background at 9 a.m. UTC.

If an entity already exists with a tag that matches the tag of a Workday team that you are importing, Cortex automatically adds a -team suffix to the Workday team's .

For example, if payments exists as a Cortex tag in Cortex, then you import a Payments team from Workday, Cortex will import the team's tag as payments-team.

Manually trigger team import

You can also manually trigger this sync:

Navigate to in Cortex.
Click Create team.
In the upper left corner, click Sync teams.

Entity descriptor

Field

Description

Required

Using the Workday integration

Entity pages

Once the integration is set up, Cortex will automatically import and structure your team hierarchy. Any teams imported from Workday will appear with a description: "Automatically created by Cortex".

On each team's details page, any team members Cortex detects will populate under the Members tab. If you included the "Role" field in your Workday report, members' roles will appear in a badge next to their names.

Scorecards and CQL

All ownership details

A special built-in type that supports a null check or a count check, used to enforce ownership of entities.

Definition: ownership: Ownership | Null

Example

An initial level in a security Scorecard might include a rule to ensure an entity has at least one team as an owner:

All owner details

List of owners, including team members and individual users, for each entity

Definition: ownership.allOwners()

Example

The Scorecard might include a rule to ensure that entity owners all have an email set:

Team details

List of teams for each entity

Definition: ownership.teams(): List<Team>

Example

The Scorecard might include a rule to ensure that an entity owners all have a description and are not archived:

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

Background sync

Cortex syncs teams from the report every day at 9 a.m. UTC.

You can sync teams manually at any time by clicking the Sync teams for Workday button from in Cortex. Doing so will not auto-import teams.

Limitations

Cortex does not support hierarchies with cycles. For example, let's say Employee A is on the platform team, Employee B is on the frontend team, and both report to Manager C on the engineering team. If Manager C reported to someone on the platform team, that would create a cycle between the platform and engineering teams.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

SonarQube

SonarQube is an open-source platform that empowers developers to write clean and safe code by continuously inspecting code quality and reviewing for bugs, vulnerabilities, and code duplication.

Integrating SonarQube with Cortex allows you to:

Pull in code smells, bugs, code coverage, vulnerabilities, and custom metrics on entity details pages
Create Scorecards that track progress and drive alignment on projects involving your SonarQube projects

This integration is supported for both SonarQube Server and SonarQube Cloud.

How to configure SonarQube with Cortex

Self-hosted prerequisites

If you’re using a self-hosted instance of SonarQube, you’ll need to verify that your Cortex instance is able to reach the SonarQube instance.

If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your SonarQube instance.

Configure the integration

There are two options for integrating SonarQube: the default configuration method and Cortex Axon Relay, a relay broker allows you to securely connect your on-premises SonarQube data.

Configure SonarQube with the default method

Prerequisites

Before getting started, create a SonarQube user token:

Integrate via custom webhook

If you’re unable to expose your SonarQube instance to be reachable by Cortex, you can set up a . To learn more about SonarQube webhooks, visit their .

How to connect Cortex entities to SonarQube projects

Discovery

By default, Cortex will use the (e.g. my-entity) as the "best guess" for SonarQube component key. For example, if your Cortex tag is my-entity, then the corresponding component key in SonarQube should also be my-entity.

If your SonarQube component key doesn't cleanly match the Cortex tag, you can override this in the Cortex entity descriptor.

If you’re using build-system tooling to push analysis to SonarQube, the plugin (e.g. Gradle, Maven) may be automatically generating a project key that’s different from the repo name.

Connect entities via YAML or the Cortex UI

Connect SonarQube entities via the Cortex UI

Navigate to an in Cortex.
In the upper right corner, click Configure entity.

Cortex only supports one SonarQube project per entity.

Using the SonarQube integration

View SonarQube data on entity pages

Once the integration is established, data from SonarQube will be available in the Code & security page in an as well as under the Overview tab. You can pull in data on code smells, bugs, code coverage, vulnerabilities, and any custom metrics available through Sonar. You can read more about metric definitions in Sonar's .

Metrics
- Complexity
- Duplications

Scorecards and CQL

With the SonarQube integration, you can create Scorecard rules and write CQL queries based on SonarQube projects.

See more examples in the in Cortex.

Analysis freshness

Duration since the last analysis was uploaded to SonarQube for a given project (with granularity of days).

Definition: sonarqube.freshness()

Example

For a Scorecard focused on operational readiness, you can use this expression to evaluate the freshness of static analysis metrics from SonarQube.

This rule checks that an analysis has been uploaded to SonarQube within the past week, which developers can use to make sure the metrics being pulled aren't stale.

Metric

Query metrics generated by static analysis of your projects and sent to SonarQube:

Alert status
Bugs

Project existence

SonarQube project exists for an entity.

Definition: sonarqube != null

Example

For a Scorecard focused on operational readiness, you can write a rule to make sure an entity has an associated SonarQube project.

Because having a SonarQube project set would be key for an entity to be evaluated via other SonarQube-related expressions, this rule would make sense in a Scorecard's initial level.

Issues

Query issues identified by static analysis of your projects and sent to SonarQube, including bugs, vulnerabilities, code smells, and more. If the statuses are not filled in, they will default to "OPEN" and "REOPENED" statuses to prevent fetching of resolved issues.

Sonar recommends targeting 0 new issues.

Definition: sonarqube.issues("<types>", "<rules>", "<severities>", "<statuses>", "<lookback>"): List<SonarqubeIssue>

Example

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

FAQs and troubleshooting

Does Cortex support SonarCloud?

Yes. You can integrate with SonarCloud by following the same steps as integrating with SonarQube. In the URL field, use your https://sonarcloud.io/ URL. You can also use multi-account support to add a self-hosted or SonarCloud instance by adding the URL for that instance during configuration.

I’m seeing “Socket timed out when trying to connect to SonarQube” for all of my entities in Scorecards.

This means that Cortex is unable to talk to your SonarQube instance. Make sure that your instance is running and accessible to Cortex.

I’m using Gradle and I’ve verified that my project is in SonarQube, but Cortex is still showing me an error.

Gradle automatically generates a project key which is equal to [$:]$. As a result, automatic discovery won’t work. You’ll need to override the project key in your Cortex .

My project is in Sonar and Cortex is able to talk to SonarQube, but my score isn’t showing up.

Try the following troubleshooting steps:

Make sure the project key in your YAML is exactly the same as the key in SonarQube.
Verify that the scores are in the “default branch” in SonarQube. If your scores are showing up in a branch-a in SonarQube, but your SonarQube default branch is main, Cortex will not be able to retrieve the scores.
Run the following curl command and verify there are metrics showing up in the response:

What if I want to send custom data, but I don't have control over the integration touchpoint?

If you don't have control of or access to the integration touchpoint (for example, if you're using a SonarQube notification webhook) you'll want to use the API to send custom data. You can find information on sending data to a custom data webhook .

Why might I see the SonarQube connection error `Component key not found`?

For SonarQube (and all integrations), Cortex will map the Cortex tag defined in the cortex.yaml for a given entity. For SonarQube specifically, the tag must exactly match the project ID in SonarQube. If these are not one-to-one, we recommend using the override detailed above to define the proper mapping for project ID and entity name.

Why might I see the error `Sonarqube: Fail to request url` on my integration page or a `validity check failed` error while creating a Workflow?

This can happen if your external DNS certificate expired. Ensure that any certificates you're using are valid.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Kubernetes

Kubernetes is a container orchestration system that automates software deployment, scaling, and management. The Cortex K8s agent is a lightweight agent that collects information from your cluster (Deployments, StatefulSets, Argo Rollouts, and CronJobs) and surfaces it in your Cortex workspace's catalog, Scorecards, and more.

Integrating Kubernetes with Cortex allows you to:

Discover and import services directly from K8s clusters into Cortex, making it easy to keep the catalog in sync with what's actually running in production
View Kubernetes data on entity pages in Cortex, giving you visibility into your infrastructure and how services are deployed
Create to track progress and drive alignment on projects relating to Kubernetes, and to enforce Kubernetes best practices

How to configure Kubernetes with Cortex

Prerequisites

Before getting started:

for the Helm chart used for deployment and a username and password.
in Cortex.
- The API key should have the User (edit catalog entities) role at a minimum.

Security considerations

The Cortex k8s agent uses a push model that ensures you do not need to expose your cluster to the public internet.

Additionally, the Helm chart comes with a predefined ClusterRole that provides the correct RBACs:

Permissions: ["get", "watch", "list"]
Resources: ["deployments", "services", "pods", "replicationcontrollers", "statefulsets", "rollouts", "cronjobs"]
API groups: ["apps", "argoproj.io", "batch"]

Communication out of the cluster to Cortex happens over HTTPS. There is no inbound traffic to the agent.

Install the Cortex k8s agent in your Kubernetes cluster

To connect Cortex to your Kubernetes instance, you’ll need to install the Cortex k8s agent in your Kubernetes cluster. The agent is lightweight and adds negligible impact to your cluster.

Create a Docker image pull secret:
Run the following command, replacing cortex-key with the value of your Cortex API key, to create a secret in your cluster:
Run the following command to install the Helm chart provided by Cortex:

Connecting Cortex entities to Kubernetes

Discovery

By default, Cortex will use the (e.g. my-entity) as the "best guess" for Kubernetes resource. For example, if your Cortex tag is my-entity, then the corresponding resource in Kubernetes should also be my-entity.

If your Kubernetes resource don’t cleanly match the Cortex tag, you can override this in the Cortex entity descriptor.

Methods for mapping Kubernetes resources

See the table below for the methods of mapping resources to entities:

Method

Use case

Action

See the tabs below to learn how to use each option:

Annotation

You can link your Kubernetes deployment to a Cortex entity by to your k8s deployment metadata. By default, Cortex maps Kubernetes deployments with a cortex.io/tag annotation to Cortex entities with the same tag.

Use cortex.io/tag as the key and use the value of x-cortex-tag in the Cortex entity's cortex.yaml as the value.

For example, if the cortex.yaml file is:

Import entities from Kubernetes

See the for instructions on manually importing entities.

Using the Kubernetes integration

View Kubernetes data on entity pages

Kubernetes deployment data will be available in the Kubernetes block on the for entities imported from Kubernetes or linked to a k8s resource.

In the entity's sidebar, click Environments to see Kubernetes deployments, clusters, active replicas, and pending deployments, as well as:

Replicas: Number of available, ready, and desired replicas.
Containers: Resource containers, including requested memory, memory limit, and CPU data. Also includes the full container definition.

Scorecards and CQL

With the Kubernetes integration, you can create Scorecard rules and write CQL queries based on Kubernetes resources. For an example, see Cortex's prebuilt template.

See more rule examples in the in Cortex.

Cluster information

Data about k8s clusters associated with a given entity.

Definition: k8s.clusters()

Examples

You can use the k8s.clusters() expression in the Query Builder to find all clusters that start with "dev":

Deployment labels

Checks deployment metadata.

Definition: k8s.metadata()

Examples

You can use this expression in a production readiness Scorecard to check ownership:

This rule checks an entity's metadata labels for the ownership annotation and will pass if "ownership_team" is defined.

K8s resource is set for entity

Checks whether a k8s resource of any type is associated with an entity.

Definition: k8s != null

Example

For a Scorecard focused on automation or development maturity, you can set a rule to make sure a k8s resource is mapped:

Kubernetes spec YAML

The periodically sends the raw spec definitions for all entities. The spec JSON is equivalent to the root spec field of the entity descriptor (deployments, StatefulSet, etc.) and fully conforms to that format.

You can find the official documentation for these resource objects in the .

You can use this list of JSON specs combined with jq or to write complex assertions such as "all resources must have specific annotations set" or "all containers should have a CPU resource limit defined."

The list of JSON specs can also be filtered to only ones in a specific cluster by specifying the cluster name: k8s.spec("prod")

Replica information

Number of replicas available, current, desired, ready, unavailable, or updated.

Definition: k8s.replicas()

Example

You can use this expression in a development maturity Scorecard to make sure an entity has at least two available instances:

Background sync

The Cortex k8s agent is a cron job that runs every 5 minutes by default.

FAQs and troubleshooting

When I try to import entities, I don't see all the supported workload types (deployments, ArgoCD rollout, StatefulSet, CronJob)

Make sure that the types you expected to see are in the cluster you are attempting to import.

Missing namespaces from Kubernetes discovery

If you're using to import entities into Cortex but don't see all expected namespaces during the import process, make sure app.namespace is commented out in values.yaml:

If app.namespace is defined the Cortex k8s agent will only be able to discover services from that namespace. This behavior can be confirmed with a backend log similar to:

Once app.namespace is commented out, restart your pods. You will then be able to see all expected namespaces when importing new services.

Helm chart and deprecated Kubernetes Docker registry

If your Cortex agent in Kubernetes clusters is blocked due to deprecation of Docker registry after an upgrade, you can make these direct edits using the same credentials:

Access the image from ghcr.io instead of docker.pkg.github.com.
Update the registry secret, setting the server to https://ghcr.io.

If you are unable to make these changes, please reach out to [email protected] and request a new Helm chart with this change already reflected.

Failing ArgoCD rollouts error in the k8s agent

When running the self-hosted Kubernetes agent successfully, users may see failing ArgoCD rollouts errors while not using this tool.

Cortex logs this exception for verbosity - this error is harmless if not using ArgoCD tool.

Can I deploy on prem if I don’t use Kubernetes?

Yes - the Cortex Helm chart deploys two Cortex-specific pods from images for the frontend and backend, as well as a data store. You can use these images to run Docker containers on other platforms, such as ECS.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

New Relic

New Relic is a performance tracking and analytics tool that helps engineers gain visibility into their software. Integrating New Relic with Cortex allows you to:

Discover entities and track ownership
View SLO and monitoring information on entity pages in Cortex
Embed New Relic dashboards on entity pages in Cortex
Create Scorecards to drive alignment on projects involving New Relic metrics

How to configure New Relic with Cortex

Prerequisite

Before getting started:

As a full platform user in New Relic, create a .
- New Relic user keys are linked to the account they were created from, so if this account is ever deleted, the integration with Cortex will stop working.

Configure the integration in Cortex

In Cortex, navigate to the :
1. Click Integrations from the main nav. Search for and select New Relic.
Click Add configuration.

Once you save your configuration, you'll see it listed on the integration's settings page in Cortex. If you’ve set everything up correctly, you’ll see the option to Remove Integration in Settings.

You can also use the Test all configurations button to confirm that the configuration was successful. If your configuration is valid, you’ll see a banner that says “Configuration is valid. If you see issues, please see documentation or reach out to Cortex support.”

Cross-account access

After setting up the integration, you will be redirected to the where you can enable the cross-account access feature. If you have an account that supports subordinate accounts, you can enable this setting to fetch applications and SLOs for all the accounts that are under the configured one.

Configure the integration for multiple New Relic accounts

The New Relic integration has multi-account support. You can add a configuration for each additional by repeating the process above.

Each configuration requires an alias, which Cortex uses to correlate the designated with registrations for various entities. Registrations can also use a default configuration without a listed alias. You can edit aliases and default configurations from the New Relic page in your Cortex settings. Select the edit icon next to a given configuration and toggle Set as default on. If you only have one configuration, it will automatically be set as the default.

How to connect Cortex entities to New Relic

Auto discovery

There are two ways to auto-map New Relic applications and services to Cortex entities:

By default, Cortex will use the (e.g. my-entity) or its name as the "best guess" for New Relic applications. For example, if your Cortex tag is my-entity, then the corresponding application in New Relic should also be my-entity. The name is not case-sensitive.
- If your New Relic applications don’t cleanly match the Cortex tag or name, you can override this in the Cortex entity descriptor.

Note: Cortex does not support auto-mapping of SLOs. SLOs have to be defined via the entity YAML or attached to a mapped application or service.

Dependencies

Cortex automatically maps dependencies between your entities by utilizing New Relic's data.

Say you have two applications in NewRelic (Application A and Application B), and in the service map Application A calls Application B. In Cortex you have two Entities (Cortex Entity A and Cortex Entity B), where Cortex Entity A is mapped to New Relic Application A and Cortex Entity B is mapped to New Relic Application B. Cortex will take the mapped relationship from Application A to Application B and create a dependency from Cortex Entity A to Cortex Entity B.

Import entities from New Relic

See the for instructions on importing entities.

Editing the entity descriptor

APM services

New Relic application metrics can be fetched for each entity using application IDs or tags.

Field

Description

Required

Field

Description

Required

Instructions to find your Application ID can be found in the . You can also find the Application ID in the URL in New Relic.

You can also find information on finding and managing tags in the .

OpenTelemetry

services can be associated with the entity only using tags. For this type of service New Relic doesn't generate application ID.

Field

Description

Required

Cortex fetches OpenTelemetry data every 5 minutes, but the data refresh may take longer depending on how much data you have.

Embeds

Cortex can also embed dashboards from New Relic.

Field

Description

Required

Learn more about embedding charts in the page.

SLOs

SLO can be fetched for each entity using New Relic entity GUID for respective SLO or associated service. Detailed instructions how to obtain entity GUID can be found in .

Fetched SLO information can be found in the Operations and Integrations sections of an entity page.

Field

Description

Required

If the alias is not specified, like with the third ID above, Cortex will use the default configuration.

If you use the GUID for a parent service to define the SLOs for a given entity, Cortex will import all SLOs associated with that service.

Using the New Relic integration

View New Relic data on entity pages

When entities are tied to New Relic, SLO and monitoring information appear under the Monitoring section on the overview of the .

More data is available under the Monitoring page in the entity's sidebar:

Throughput
Response time
Error rate
Apdex target

In the SLOs section, you'll be able to see a list of all SLOs tied to that entity, the target and current SLO score, and the period of time the SLO is being calculated for. For example, if the time listed is "7 days ago," then the SLO is looking at the time range starting 7 days ago to now..

The SLO name will display in green when passing and orange when failing.

If you've defined in an entity's YAML, you'll be able to view the graphs from an entity's details page. Open the Dashboard page in the entity's sidebar. All dashboards defined in the descriptor will be embedded on this page.

New Relic dashboards must be defined individually for each entity.

Relationship graphs

detected from New Relic will appear in . You can in the Relationship Graph.

Scorecards and CQL

With the New Relic integration, you can create Scorecard rules and write CQL queries based on New Relic performance metrics.

See more examples in the in Cortex.

Application summary

Fetch high-level for a given New Relic application.

This expression enables you to score entities on reliability metrics:

Apdex score

New Relic application is set

Check if entity has a New Relic application ID set in its entity descriptor.

This can be a good companion to other rules that will fail without a defined application ID, like newrelic.applications().

Definition: newrelic (==/!=) null

Example

Raw NRQL query

Execute an arbitrary NRQL query and capture the .

This expression is not inherently tied to a single entity and requires a custom query to pull the specific data what you need. The raw JSON can be parsed using JQ or language.

Definition: newrelic.rawNrql(query: Text)

Examples

SLOs

SLOs associated with the entity via ID or tags. You can use this data to check whether an entity has SLOs associated with it and if those SLOs are passing.

SLOs

History

OpenTelemetry metrics

OpenTelemetry metrics available in the can be accessed or manipulated for a given entity by combining CQL and native query.

Accessing OpenTelemetry data with CQL and NRQL

In Cortex, you can access OpenTelemetry data by incorporating a raw NRQL query into this CQL expression with the associated .

Definition: newrelic.applications().getOrNull(0)?.guid

Example

You can execute raw NRQL query to collect average http.server.requests in a CQL report:

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

PagerDuty

PagerDuty is an incident response platform that allows developers to manage alerts, schedule rotations, define escalation policies, and more.

Integrating PagerDuty with Cortex allows you to:

Pull in PagerDuty services, on-call schedules, and escalation policies
- The on-call user or team will appear in the Current On-call block on an entity's details page.
- You can also view on-call information on an entity page in its side panel under Integrations > On-call.
directly from Cortex
Automatically surface the most vital information about entity health and metadata when an incident is triggered by using
- The On-Call Assistant automatically notifies users via Slack when an incident is triggered. The notifications include runbooks, links, dependencies, and key information about the affected entity.
View incidents from PagerDuty in an entity's event timeline
View on-call information from PagerDuty in the
Use PagerDuty metrics in to understand key metrics and gain insight into services, incident response, and more.
Create that track progress and drive alignment on projects involving your on-call schedules and alerts

How to configure PagerDuty with Cortex

Prerequisites

Before getting started:

Create a .
- When adding the API key, you have the option to set read or write permissions.

Configure the integration in Cortex

In Cortex, navigate to the :
- Click Integrations from the main nav. Search for and select PagerDuty.
Click Add configuration.

If you’ve set everything up correctly, you’ll see the option to Remove Integration in settings.

Enabling the On-call Assistant

At this stage, you can enable the Cortex On-call Assistant, which notifies users via Slack when an incident is triggered in PagerDuty. See the documentation for instructions: .

Note that On-Call Assistant will only work for since these notifications are related to affected services.

How to connect Cortex entities to PagerDuty

Discovery

By default, Cortex will use the (e.g. my-entity) or its name as the "best guess" for PagerDuty services. For example, if your Cortex tag is my-entity, then the corresponding service in PagerDuty should also be my-entity.

If your PagerDuty services don’t cleanly match the Cortex tag or name, you can override this in the Cortex entity descriptor.

Considerations for registering PagerDuty entities

Cortex recommends setting up PagerDuty at the service level by registering service entities with PagerDuty services, rather than configuring team entities with a PagerDuty schedule.

If PagerDuty is set up on a service level, you can see current on-call information listed within a given service's page. If PagerDuty is set up on the team level, you will only be able to view on-call rotation information from a team page.

Other benefits to setting up PagerDuty on a service level include:

Structuring PagerDuty 1-1 with services enables better alert routing and analytics, something that organizations struggle more with when PagerDuty is set up on a team level.
With a service-level setup, it’s easier to enforce all services to have a compliant on-call policy enacted in PagerDuty, especially when making use of Scorecards.
The service-level setup is less reliant on team members tagging incidents with service information because services and incidents are already linked.

View on-call data only

If you want to only view on-call data for entities, and you do not want incidents displayed in Cortex, you can for an entity.

Editing the entity descriptor

For a given entity, you can define the PagerDuty service, schedule, or escalation policy within the entity’s YAML. You can only set up one of these three options per entity.

Each of these has the same field definitions.

Field

Description

Required

Define a PagerDuty service

Find the service ID value in PagerDuty under Configuration > Services. The URL for the service will contain the ID, for example: https://cortexapp.pagerduty.com/services/. You can only configure one service ID per entity.

Define a schedule

Find a schedule ID in PagerDuty under People > On-call schedules. Click the desired schedule to view its ID in the URL, for example: https://cortexapp.pagerduty.com/schedules#. You can only configure one schedule per entity.

Define an escalation policy

Find the escalation policy ID in PagerDuty under People > Escalation Policies. Click the desired policy to view its ID in the URL, for example: https://cortexapp.pagerduty.com/escalation_policies#. You can only configure one escalation policy per entity.

When linking a Cortex entity to a PagerDuty escalation policy, only on-call information will be surfaced in Cortex — incidents will not be shown. This is a useful alternative for teams that want to suppress incident visibility while displaying call schedules.

You can only set up one of the three options above per entity.

Identity mappings

Cortex maps email addresses in your PagerDuty instance to email addresses that belong to team members in Cortex. When is set up, users will be able to see their personal on-call status from the developer homepage.

Using the PagerDuty integration

Entity pages

Once the PagerDuty integration is set up, you’ll be able to view current on-call information in the "on-call" block on an . In the left sidebar of an entity, click On-call & incidents to view on-call information, escalation policy, service, and incidents.

The escalation policy and PagerDuty service details are hyperlinked to the corresponding pages in your PagerDuty instance.

Click Events in an entity's sidebar to view recent events pulled in from PagerDuty.

Engineering homepage

The PagerDuty integration enables Cortex to pull on-call information into the on-call block on the . On-call data from PagerDuty is refreshed every 60 minutes.

Eng Intelligence

Cortex also pulls in metrics from PagerDuty for . This tool will display MTTR, incidents opened, and incidents opened per week.

Retrieve on-call information in Slack

If you have a Slack integration set up, you can also use the /cortex oncall to retrieve current on-call information. This feature works for both services and teams with registered PagerDuty schedules or escalation policies.

Scorecards and CQL

With the PagerDuty integration, you can create Scorecard rules and write CQL queries based on incidents, escalations, and on-call metadata.

See more examples in the in Cortex.

Check if on-call is set

Check if entity has a registered service, schedule, or escalation policy. If the service does not have any registrations in its entity descriptor, Cortex searches for PagerDuty services matching the tag defined in the entity's x-cortex-tag field.

Definition: oncall (==/!=) null

Example

For a Scorecard focused an production readiness, you can use this expression to make sure on-call is defined for entities:

Forbidden contact methods

Number of users in each entity's escalation policy with missing or forbidden contact methods.

Allowed contact methods:

"SMS"

Incident response analysis

Get detailed for each entity:

Mean assignment count
Mean engaged seconds

Incidents

Get incident data for each entity:

Assignee ID
Created at

Number of escalations

Number of escalation tiers in escalation policy.

Definition: oncall.numOfEscalations()

Example

This expression could be used in a Scorecard focused on production readiness or service maturity:

This rule checks that there are at least two tiers in an escalation policy for a given entity, so that if the first on-call does not ack, there is a backup.

On-call metadata

On-call metadata, including type, id, and name.

Definition: oncall.details()

Examples

To find all entities with a schedule-type on-call registration, you can use this expression in the Query builder:

If you're migrating on-call policies, you could use this rule to check for outdated policies. Let's say, for example, all outdated PagerDuty policies start with "Legacy" in their titles.

Trigger an incident

As described above under , a given entity can have a PagerDuty service, schedule, or escalation policy defined. Only entities with a PagerDuty service defined will include the option to trigger an incident directly from Cortex.

Your PagerDuty API key must include the write permission in order to trigger incidents from an entity.

While viewing an entity in Cortex, follow these steps to trigger an incident in PagerDuty:

In Cortex, navigate to an entity. On the left side of an entity details page, click On-call & incidents.
In the upper right side of the entity's "On-call" page, click Trigger incident.
Configure the incident modal:

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

Background sync

PagerDuty performs the following background jobs:

On-call: On-call information displayed on the developer homepage is refreshed every 60 minutes.
Services and incidents: Services used for automapping and active incidents viewable in the catalog are fetched approximately every 5 minutes, or however long the refresh takes.
Users: User data for identity mapping is synced daily at 10 a.m. UTC.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Jira

Jira is a project management tool that helps developers track and manage bugs and work items.

By integrating Jira with Cortex, you can drive improvements and coordinate issue management across teams. Through the integration, you can create Jira work items directly in Cortex based on an Initiative's action items. The integration also allows you to enhance insights into a number of key values for your entities:

Customer facing incidents
Security tickets
Ongoing projects

How to configure Jira with Cortex

It is possible to configure the integration with a Jira Cloud instance or a self-hosted Jira instance (using either basic auth or OAuth). You can also use Cortex Axon Relay to securely integrate your on-premises data. See the tabs below for instructions on each option.

Jira Cloud

Prerequisites

Before configuring Cortex with Jira Cloud:

Create a . To generate a token, you must have the Browse users and groups permissions in Jira and access to the needed Jira projects.

Configure the integration for multiple Jira accounts

The Jira integration has multi-account support. You can add a configuration for each additional by repeating the process above.

Each configuration requires an alias, which Cortex uses to correlate the designated with registrations for various entities. Registrations can also use a default configuration without a listed alias. You can edit aliases and default configurations from the Jira page in your Cortex settings. Select the edit icon next to a given configuration and toggle Set as default on. If you only have one configuration, it will automatically be set as the default.

Set a default JQL query for your Jira integration

You can set a custom JQL query for your and for . This allows you to filter which Jira work items are surfaced on entity pages or in other places in Cortex where CQL is used.

The default JQL applies to jira.issues() and jira.numOfIssues() but not to jira.rawJql().

Note that if you define additional filter logic for your default JQL query when writing a Scorecard rule, you must add that logic in a filter clause. See for more information.

Set default JQL query at a tenant level

From the in Cortex, you can set a custom JQL query for your Jira integration.

When Cortex queries for Jira work items, the statusCategory is directly grabbed from the .

The default query — statusCategory in ("To Do", "In Progress") — will filter your Jira tickets to display only those with To Do and In Progress statuses, excluding closed tickets. The indeterminate status category will map to In Progress

Fallback logic for default JQL

It is possible to set custom JQL at both the entity and tenant level, but note the fallback logic:

If any JQL is passed into a query, Cortex uses that.
If not, Cortex uses entity-level default JQL.
If not, Cortex uses tenant-wide default JQL.

Adding filter logic to the default JQL query in a Scorecard

The CQL statement will use the default JQL setting in a Scorecard rule only if you do not define additional filter logic. Any filter logic applied to the statement will override the default JQL query.

To work around this: If you need to include additional filter logic on your query in a Scorecard, you can move the filter logic to the filter clause.

For example, if your default JQL query is set to "project = project_a", then you can add jira.issues() to a Scorecard rule to automatically surface only the work items relating to Project A. However, you cannot use jira.issues(some_other_filter_logic) in a Scorecard; Cortex will not append your default JQL to the additional filter logic.

In this example, the workaround would be to add a filter clause: jira.issues().filter(some_other_filter_logic).

How to connect Cortex entities to Jira labels, components, or projects

Discovery

By default, Cortex will tie Jira tickets to entities by searching for any tickets where the label, component, or project field for the work item includes the . For example, if your Cortex tag is “my-entity,” then the corresponding tickets in Jira should have “my-entity” as a label, component, or project.

If your Jira label/component/project doesn't cleanly match the Cortex tag, you can override this in the Cortex .

Without an override, a ticket's label, component, or project must exactly match the Cortex tag in the descriptor.

Connecting via YAML or the Cortex UI

Connect Jira entities via the Cortex UI

Navigate to an in Cortex.
In the upper right corner, click Configure entity.\

Identity mappings

Cortex maps Jira accounts to team members defined in the team catalog, so you do not need to define Jira users in a team member's YAML file.

You can confirm that users' Jira accounts are connected from the .

Using the Jira integration

Entity pages

Once the integration is established, you'll be able to pull in data about the work items in any linked Jira instances for a given entity:

Number of issues: Unresolved issues associated with an entity that have the JQL status "in progress" or "to do"
Number of issues from JQL query: Issues associated with an entity that match an arbitrary JQL query

Cortex will tie Jira tickets directly to entities within the catalog. Click Issue tracking in the entity's sidebar to see associated Jira tickets.

From this tab you can find a list of all issues with a label that matches the Cortex tag.

Key: The issue key (or "ticket number") for a Jira work item.
Issue summary: Title of the Jira work item and the user designated as the issue reporter.
Assignee: User designated as the work item assignee.

This list will also be available from a team's homepage when the team's Cortex tag matches a label, component, or project in Jira.

Initiatives

Initiatives allow you to set deadlines for specific rules or a set of rules in a given Scorecard and send notifications to users about upcoming due dates.

From the Issues tab of an Initiative, you can automatically create a Jira ticket from a failing rule.

Read about creating Jira issues from Initiatives in the documentation: .

Dev homepage

The Jira integration enables Cortex to pull information about issues into the . You can find open work items assigned to you under the . The work items that display will depend both on the Jira instances you've connected and the JQL query defined in Settings.

Work items are refreshed every 5 minutes. You can use the Refresh work items button to manually refresh issues at any point.

Scorecards and CQL

With the Jira integration, you can create Scorecard rules and write CQL queries based on Jira work items.

See more examples in the in Cortex.

Issues

Number of unresolved issues associated with the entity, where unresolved is defined as the JQL status = "Open" OR status = "To Do".

Definition: jira.numOfIssues()

Example

For a Scorecard measuring entity maturity, you can use this expression to make sure entities have fewer than 3 Jira issues:

Issues from JQL query

Number of issues associated with the entity based on arbitrary JQL query.

Definition: jira.numOfIssues(jqlQuery: Text | Null)

Example

For a more specific rule in an entity maturity Scorecard, you can use this expression with a JQL query to make sure entities have no more than 3 open customer-facing tickets.

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

Background sync

The runs a background job every 5 minutes to refresh the Issues tab.

FAQs and troubleshooting

I've added a Jira integration, but I'm not sure what JQL is being generated to query Jira.

When running Scorecard rules, Cortex appends AND (component = cortex-tag OR labels = cortex-tag OR project = cortex-tag) to the , where cortex-tag is the .

My Scorecard rules are failing, even though there are tickets in my Jira instance.

Make sure that the ticket has a label, component, or project that matches exactly with the Cortex tag or the list defined in your entity descriptor.

I received "Configuration error: Integration error for Jira: Unexpected HTTP response 0".

When using Jira Cloud, you'll need to create a Jira API token and add it on in Jira Settings in Cortex. The email address in Settings must be the same as the user that the token is associated with. Cortex also expects only the subdomain of your Jira instance, not the entire URL.

I received "Configuration error: Jira: Unexpected HTTP response 403: Forbidden".

Make sure that the entity name in Cortex matches the label, component, or project name in Jira.
Make sure the subdomain and base URL correspond with the Jira instance you're trying to connect.
Verify that the Jira token you added is still valid. You can run the following to confirm:

I configured the integration, but I am not seeing Work Items populate.

The background job fetches work items every 5 minutes. However, a fresh integration configuration may result in longer waiting times, as it also fetches historical data.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Slack

Slack is a messaging and collaboration platform that makes it easy to communicate with your team and work together efficiently on projects.

Integrating Cortex with Slack allows you to:

Quickly find the relevant Slack channel to communicate with the right team, allowing for easier collaboration on projects and faster communication during an incident
- Slack channels appear in the "Owners" block on entity details pages.
Receive directly in Slack for Scorecard changes, upcoming Initiatives, weekly summaries of entity performance, and more
If you use the , receive notifications when an incident is triggered
Interact with the to query entity metadata and Scorecard scores
Create that enforce standards such as having Slack channels set for projects

How to configure Slack with Cortex

Prerequisites

To configure this integration:

Your Cortex user must have the Configure integrations permission
You must be an administrator in your Slack account
The Slack account must not be linked to another Cortex tenant

If you're using a self-managed Cortex instance, you'll need to follow a manual configuration process to use Cortex's app for Slack. Follow the .

Step 1: Configure the integration in Cortex

In Cortex, navigate to the :
- Click Integrations from the main nav. Search for and select Slack.
Click Add configuration.

After signing in to Slack and granting permission for Cortex to access the Slack workspace, you are redirected to the Slack integration settings page in Cortex. In the upper right corner of the page, click Test configuration to ensure Slack was configured properly.

Step 2: Configure Slack app settings

On the , you can configure additional options:

Require Cortex account to use Cortex's Slack app: Enable this setting if you want Cortex's Slack app to only work for users who have Cortex accounts.
Slack notifications: You can configure notifications to be sent via Slack for your organization. Click Notification settings to go directly to the notification configuration page for your workspace.
- Learn more about notifications below, under .

Using the Slack integration

Viewing Slack information across Cortex

Slack channels associated with teams or entities will appear in several places across Cortex:

: Slack channels will appear at the top of an entity's overview page in a Slack channels block, and in the "Owners" page in the entity's sidebar. You can click any channel name to go directly to that channel in Slack.\
You can write CQL queries and Scorecard rules based on Slack channels. Learn more under .

Managing Slack notifications

After configuring the Slack integration, you can choose whether to allow Slack notifications for your workspace.

In Cortex under Settings > Notifications, an admin or a user with the Configure workspace notification settings permission can enable or disable the option to receive notifications via Slack for each type of notification. Users can also adjust their to control which notifications they receive via Slack.

Team, user, and entity Slack notifications

Notifications are . DMs and channel notifications are sent from the .

User-based notifications are sent to users via a Slack DM.
Team-based notifications are sent to the Slack channel associated with a team.
Entity-based notifications are sent to the Slack channel associated with an entity.

Note that notifications can be sent to private Slack channels, but the Cortex Slack Bot must be a member of the channel in order for the notification to be delivered to the channel.

Learn more about notifications in the .

Using the Cortex Slack bot

After configuring the Slack integration, you can use commands to interact with the Cortex Bot in your Slack workspace. The Cortex Bot also powers notifications that are sent via Slack.

The Cortex Bot is a Slack app called "Cortex."

Cortex Bot notifications

The Cortex Bot sends you notifications based on (and based on your ).

In addition, the Cortex bot will send user-based and team-based weekly reports. The weekly report for users summarizes how their entities are tracking against Scorecards and Initiatives; the report for teams delivers the same summary for entities owned by that team.

Add the Cortex Slack Bot to a private channel

To ensure you receive notifications to a private channel, make sure you have added it to that channel:

Open the Slack channel where you want to add the bot.
Type and enter @Cortex.
Slack will prompt you to take an action. Click Add them.

Cortex Bot Commands

Using the below commands in Slack, you can quickly query entity metadata and Scorecard scores. The <tag> refers to the .

Using AI assistant in Slack

The AI assistant is in public beta. Check out the here for more details. Please contact your Cortex Customer Success Manager if you are interested in participating in the public beta.

As with all Large Language Models (LLM), the AI Assistant may not provide accurate responses. Please reach out to Cortex Customer Engineering if you encounter any issues.

The Cortex AI assistant is a conversational interface that helps you navigate Cortex. You can ask the AI assistant questions such as "Which entities do I own?"

Use it with Slack in the following ways:

In a public channel: Tag Cortex (type @Cortex) and ask a question.
In a DM: Message the Cortex app directly and ask a question.

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

How to connect Cortex entities to Slack channels

In order to use this integration's functionality, your Slack channels need to be associated with entities in Cortex. You can connect Slack channels to teams and other entities in an when following a approach, or you can connect them in the Cortex UI.

Without configuring the Slack integration, you can also add a Slack channel as an on an entity.

Editing the entity descriptor

You can define Slack channels by name or ID, and enable or disable to the channel, in an entity descriptor for any entity type. Defining a Slack channel will enable direct access to the channel from the entity's page in Cortex.

When to define by name vs. channel ID

When you , it is more easily recognizable to users when viewing the entity's YAML. However, if a Slack channel's name is likely to change, it's better to as it won't break the entity's Slack link in Cortex.

Defining by channel IDs

Identity mappings

Cortex maps email addresses in your organization's Slack workspace to email addresses that belong to team members, so you never need to define email addresses in the entity descriptor.

You can confirm that users' Slack accounts are connected from the tool or from the .

Scorecards and CQL

With the Slack integration, you can create Scorecard rules and write CQL queries based on Slack channels.

See more examples in the in Cortex.

Check if Slack channel is set

Checks if an entity has a registered Slack channel in its entity descriptor.

Definition: slack (==/!=) null

Example

For a Scorecard focused on onboarding entities, you can define a rule to make sure each entity has a registered Slack channel:

Defining a rule to make sure a Slack channel is set is a good way to make sure that users can reach out to entity owners for more information or if an issue arises.

Number of Slack channels

Counts the number of Slack channels registered for a given entity.

Definition: slack.channels().length

Example

Similar to slack != null, you can use this expression to write a rule checking that entities are linked to a Slack channnel:

Total number of members across Slack channel

Counts the total number of members across all registered Slack channels.

Definition: slack.numOfMembers()

Example

You can use this expression in the Query Builder to find entities linked to empty Slack channels:

If an entity is linked to an empty Slack channel, it might indicate a gap in your notification process.

Background sync

Cortex conducts a background sync of Slack identities every day at 10 a.m. UTC.

FAQs and troubleshooting

Can users access information via the Slack Bot if they haven't logged in to our Cortex instance?

Yes, this is possible, depending on the settings you configured for the Slack Bot in your workspace. To allow users to use the Slack Bot without logging in to Cortex, navigate to the in Cortex and disable the toggle next to Require Cortex account to use Cortex's Slack app.

Can I disable some of the notifications I receive in Slack?

You can adjust your , but note that .

Is the Slack integration required to add Slack channels to a team?

No, the Slack integration is not required to add channels to Cortex teams. You can manually add any Slack channels without setting up the Slack integration or for a team’s metadata.

Why isn't my Slack channel showing up after I've added it to an entity's YAML configuration?

Slack channels are cached and refreshed every 4 hours, so newly-added channels may not appear immediately in the UI.

Privacy policy

Cortex retains basic Slack metadata like user IDs for the period necessary to fulfill the purposes outlined in our unless a longer retention period is required or permitted by law, or where the Customer Agreement requires or permits specific retention or deletion periods.

To request to access, transfer, or delete data, you can reach out to the Cortex support team.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Bitbucket

Bitbucket is a Git-based version control system from Atlassian. You can use Bitbucket to drive insights into repository details in the Catalog and Scorecard rules.

Integrating Bitbucket with Cortex allows you to:

Discover and track ownership of Bitbucket entities
View Bitbucket data on entity pages in Cortex
Follow a workflow with Bitbucket
View information about pull requests in the
Use Bitbucket metrics in to understand key metrics and gain insight into services, incident response, and more
Create that track progress and drive alignment on projects involving your Bitbucket repositories

Bitbucket data in and in the is available in private beta. Please contact your Cortex Customer Success Manager for access.

How to configure Bitbucket with Cortex

There are multiple options for integrating with Bitbucket:

Cloud: Using a workspace token (recommended), the Cortex Atlassian app, or an app password.
On-prem: Using Basic auth or using OAuth
You can also integrate using Cortex Axon Relay, a relay broker that allows you to securely connect your on-premises Bitbucket data.

See the tabs below for instructions on the method you choose.

Configure Cortex with Bitbucket using a workspace token

Step 1: Generate a workspace token in Bitbucket

In Bitbucket, navigate to Settings > Workspace settings > Access tokens.
Create a workspace-level access token. Include the following scopes:

Configure the integration for multiple Bitbucket accounts

The Bitbucket integration has multi-account support. You can add a configuration for each additional by repeating the process above.

Each configuration requires an alias, which Cortex uses to correlate the designated with registrations for various entities. Registrations can also use a default configuration without a listed alias. You can edit aliases and default configurations from the Bitbucket page in your Cortex settings. Select the edit icon next to a given configuration and toggle Set as default on. If you only have one configuration, it will automatically be set as the default.

Cortex supports mapping multiple identities for a single user if you have multiple configurations of Bitbucket. See the documentation for more information.

Limit which Bitbucket projects are used for the integration

If you are a part of multiple projects in Bitbucket but you only want to show repositories for a specific set of projects, you can specify the projects in Cortex:

Navigate to the .
Click the pencil icon in the row containing the Bitbucket configuration you want to edit.\
Under Project names, select which projects you want to include.

Use webhooks for GitOps functionality

To use webhooks for GitOps functionality, you need to set a secret token on the page. This helps Cortex identify that the webhook event is valid. Make sure to enter the same secret when configuring the webhook on Bitbucket Server. \

How to connect Cortex entities to Bitbucket

Import entities from Bitbucket

See the for instructions on importing entities.

Editing the entity descriptor

Set repository details

By specifying the x-cortex-git field in your Cortex entity descriptor, you'll be able to see Git information in the entity page, including the top language, recent commits, and top contributors.

Field

Description

Required

The value for repository should be the workspace/repo as defined in Bitbucket.

Ownership

You can define the following block in your Cortex entity descriptor to add your Bitbucket teams.

Field

Description

Required

Identity mappings

Cortex maps users' email addresses to discovered Bitbucket accounts, so you never need to define email ownership in an entity descriptor.

You can confirm users' Bitbucket accounts are connected from .

Using the Bitbucket integration

View Bitbucket information on entity pages in Cortex

The Bitbucket integration populates the Repository block on an . For cloud configurations, it also populates the Language block. If a Bitbucket team has been defined as the owner for an entity, it will also appear in the Owners block.

In the Recent activity preview, you'll find the recent commits and releases.

Events

On an entity's Events page, you can find all of the commits and releases associated with that entity. Each is hyperlinked to the commit or release page in Bitbucket and includes a timestamp.

CI/CD

To see pipeline runs for Bitbucket, use the to add deploy information. After doing this, from the CI/CD > Deploys page in the entity's sidebar, you will see a history of pipeline runs.

Workflows

If a Workflow applies to a given entity, any actions you can perform are available under the Workflows link in the side panel of an entity.

Repository

You can access more detailed information pulled from Bitbucket in the Repository link in the sidebar. At the top of the repository page, see the repositories associated with that entity. For cloud configurations, you can also see the most-used language in files for that entity. In the Top contributors block, you'll find the three users who have contributed the most code and the number of their contributions.

In the Commits section, you'll find the 10 most recent commits and metadata about each. Below Commits is the Recent releases section, which includes the 5 most recent releases.

Packages

Packages are automatically scraped from your Git repos or they can be submitted via the . The package file must be in the root of your repository — or, if you're using basepath, in the root of the subdirectory — to be scraped by Cortex. You can query an entity's packages in using packages().

To view packages, click Packages in the entity's sidebar.

The following package types are automatically scraped from repositories:

JavaScript / Node.js: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
Python: requirements.txt, pipfile.lock

All other files of these types can be added via the .

Engineering homepage

Bitbucket in the homepage is available in private beta. Please contact your Cortex Customer Success Manager for access.

Note: Because of rate limits, Bitbucket ingestion in the homepage is limited to repositories that are mapped to an entity in Cortex.

The Bitbucket integration enables Cortex to pull information about pull requests and work items into the . You can find your open pull requests and any pull requests assigned to you for review.

Pull requests from Bitbucket are refreshed every 5 minutes.

Eng Intelligence

Bitbucket in Eng Intelligence is available in private beta. Please contact your Cortex Customer Success Manager for access. Note: Because of rate limits, Bitbucket ingestion in Eng Intelligence is limited to repositories that are mapped to an entity in Cortex.

The also uses pull request data from Bitbucket to generate metrics:

Average PR open to close time
Avg time to first review
Avg time to approval
PRs opened

You can read more about how Eng Intelligence tracks metrics for teams and users in the Eng Intelligence walkthrough.

Scorecards and CQL

With the Bitbucket integration, you can create Scorecard rules and write CQL queries based on Bitbucket details.

See more examples in the in Cortex.

Approvals required to merge

The total number of approvals required to merge a Pull Request into the repository, defaulting to 0 if no approvals are defined.

Definition: git.numOfRequiredApprovals(): Number

Example

In a Scorecard, you can write a rule to encourage at least one approval for each Pull Request:

Git repository set

Check if an entity has a registered Git repository.

Definition: git (==/!=) null: Boolean

Example

In a Scorecard, you can write a rule that detects whether an entity has a Git repository set:

Pipeline build success rate

The percentage of build pipelines that complete successfully. This is calculated against builds on the default branch, for commits in the last 30 days. The calculation is # successful builds / (# successful + # failed). Definition: git.percentBuildSuccess(): Number

Example

In a Scorecard, you can write a rule that requires at least 90% of build runs to be successful:

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

Background sync

Cortex conducts a background sync of Bitbucket identities every day at 10 a.m. UTC. Repositories are refreshed every day at 2 p.m. UTC.

Troubleshooting and FAQ

Rules are failing saying that I don't have file x, but I verified that the file exists.

We always use the default branch for file existence checks. Make sure that the file is present in the default branch.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

GitLab

GitLab is a Git-based version control system with cloud and self-hosted options.

Integrating GitLab with Cortex allows you to:

Discover and track ownership of entities
Follow a GitOps workflow with GitLab
View commits alongside events and other data on
View information about merge requests in the
Use GitLab metrics in to understand key metrics and gain insight into services, incident response, and more
Create to monitor development maturity relating to GitLab projects

How to configure GitLab with Cortex

There are two options for integrating GitLab: the default configuration method and Cortex Axon Relay, a relay broker allows you to securely connect your on-premises GitLab data.

Prerequisites

Before getting started:

A GitLab user with at least the Maintainer role must create a GitLab or with the read_api scope.
- We recommend that you create the token at the parent group level, as GitLab does not support using a scoped token to read members from a parent group. If you do not create the token at the parent level, then you will need to manually configure groups in your GitLab settings in order for identity mapping and teams to work as expected.

Self-hosted prerequisites

If you're using a self-hosted instance of GitLab, you'll need to verify that your Cortex instance is able to reach the GitLab instance. We route our requests through a static IP address. Reach out to support at to receive details about our static IP. If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your GitLab instance.

Configure the integration in Cortex

In Cortex, navigate to the :
- Click Integrations from the main nav. Search for and select GitLab.

Configure the integration for multiple GitLab accounts

The GitLab integration has multi-account support. You can add a configuration for each additional by repeating the process above.

Each configuration requires an alias, which Cortex uses to correlate the designated with registrations for various entities. Registrations can also use a default configuration without a listed alias. You can edit aliases and default configurations from the GitLab page in your Cortex settings. Select the edit icon next to a given configuration and toggle Set as default on. If you only have one configuration, it will automatically be set as the default.

Cortex supports mapping multiple identities for a single user if you have multiple configurations of GitLab. See the for more information.

Enable GitOps for your GitLab integration

Cortex supports a GitOps approach, which allows you to manage entities in Cortex through your version control system. If you would prefer this workflow over the UI for the GitLab integration, you must create a webhook. Please see the for instructions.

How to connect Cortex entities to GitLab

Import entities

Cortex will discover entities for import from your GitLab configuration(s). These will appear in the import entities workflow.

See the for instructions on importing entities manually.

Editing the entity descriptor

Git

By specifying the x-cortex-git field in your Cortex entity descriptor, you'll be able to see Git information in the entity page, including the top language, recent commits, and top contributors.

Field

Description

Required

Only one repository can be defined for in a given entity's YAML in the x-cortex-git block.

Ownership

You can define the following block in your Cortex entity descriptor to add your GitLab groups.

Team name should match the group name in GitLab.

Field

Description

Required

Identity mapping

Cortex maps users' email addresses to discovered GitLab accounts, so you never need to define email ownership in an entity descriptor.

You can confirm users' GitLab accounts are connected from .

If users are not loading in the identity mapping page, make sure that you have created your GitLab personal access token from the parent level as described in the .

Using the GitLab integration

View GitLab data on entity pages in Cortex

Cortex uses the GitLab integration for a significant amount of data that appears on .

The GitLab integration will populate the Repo and Language detail blocks on an entity's details page.

In the Recent activity preview, you'll find the recent commits and releases. These will also appear in the event timeline.

These data will appear for entities imported from a Git source or those that have a Git repo defined in their YAMLs.

Events

On an entity's Events page, you can find all of the commits and releases associated with that entity. Each is hyperlinked to the commit or release page in GitLab and includes a timestamp.

CI/CD

To see pipeline runs for GitLab, use the to add deploy information. After doing this, from the CI/CD > Deploys page in the entity's sidebar, you will see a history of pipeline runs.

Repository

You can access more detailed information pulled from GitLab in the Repository page in the entity's sidebar. At the top of the page, you'll find the repo associated with that entity and the most-used language in files for that entity. In the Top contributors block, you'll find the three users who have contributed the most code and the number of their contributions.

In the Commits section, you'll find the 10 most recent commits and metadata about each. Below Commits is the Recent releases section, which includes the 5 most recent releases.

Packages

To view packages, click Packages in the entity's sidebar.

The following package types are automatically scraped from repositories:

JavaScript / Node.js: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
Python: requirements.txt, pipfile.lock

All other files of these types can be added via the .

Team pages

When a GitLab team is registered in a team entity descriptor, Cortex will pull GitLab users in to the Members tab. When available, Cortex will pull in the profile picture and email address for each user.

If team members are not appearing as expected, make sure that you have created your GitLab personal access token from the parent level as described in the .

Engineering homepage

The GitLab integration enables Cortex to pull information about merge requests into the . You can find your open merge requests and any merge requests assigned to you for review.

Merge requests from GitLab are refreshed every 2 minutes.

Eng Intelligence

The also uses merge request data from GitLab to generate metrics:

Average MR open to close time
Avg time to first review
Avg time to approval
MRs opened

You can read more about how Eng Intelligence tracks metrics for teams and users in the Eng Intelligence walkthrough.

To add deployments for your GitLab related entity, you can send a deployment event to the .

Scorecards and CQL

With the GitLab integration, you can create Scorecard rules and write CQL queries based on GitLab data.

See more examples in the in Cortex.

Approvals required to merge

Number of approvals required to merge a pull/merge request into a repository. Defaults to 0 if no approvals are defined.

Definition: git.numOfRequiredApprovals()

Examples

For a security or development maturity Scorecard, you can write a rule to make sure at least one approval is required to merge a pull/merge request:

Git repository set

Check if an entity has a registered Git repository.

Definition: git (==/!=) null: Boolean

Example

In a Scorecard, you can write a rule that detects whether an entity has a Git repository set:

Pipeline build success rate

Definition: git.percentBuildSuccess(): Number

Example

In a Scorecard, you can write a rule that requires at least 90% of build runs to be successful:

Branches

List all live branches with some basic metadata.

Head
Is protected

Branch protection details

Find details for specified branch, or default branch if none is specified.

Branch name
Code owner reviews required

Commits

Get the latest commits (to a maximum of 100) for a defined lookback period (defaulting to 7 days).

Date
Message

Default branch

Default branch for the repository, or main when null.

Definition: git.defaultBranch()

Example

If default branches should always be named "main," you can write a rule to make sure entities follow this practice:

File contents

Load the contents of a file from the entity's associated repository.

The contents can be validated by using string comparison operations or parsed by the built-in jq function. The jq function will automatically coerce file contents of JSON or YAML formats.

Definition: git.fileContents()

Example

For a Scorecard focused on development maturity, you could use the

File exists

Check if file exists from within the entity's associated repository.

Definition: git.fileExists()

Examples

For a Scorecard focused on best practices, you can make sure that repositories contain a README.md file:

This rule would make sense in the first level because it's so essential.

Number of Git vulnerabilities

Check the number of vulnerabilities for an entity's associated repository.

Definition: git.numOfVulnerabilities()

Examples

A security-focused Scorecard will likely include a rule making sure there are no Git vulnerabilities:

You can use Scorecard levels to stratify vulnerabilities by risk. An initial level might make sure there are no critical vulnerabilities:

List of Git vulnerabilities

Find all vulnerabilities within a repository. Can filter by severity or scan type.

Definition: git.vulnerabilities()

Examples

You could write a Scorecard rule that verifies an entity has fewer than 5 Git vulnerabilities:

You could write a rule to verify that an entity has no critical vulnerabilities:

Has Cortex YAML

Check if a repository has a valid cortex.yaml file checked in at the root directory (when GitOps is enabled).

Definition: git.hasCortexYaml()

Example

If you're using a Scorecard to track a migration from Cortex UI to GitOps, you can use this rule to make sure entities are set up for GitOps management of entity descriptors:

Last commit details

Provides last commit details.

Date
Message

Pull requests

Lists pull requests opened during a defined lookback period.

Approval date
Author

Reviews

List reviews left during a defined lookback period.

Organization
Repository

Workflow runs

Get workflow runs meeting given filter criteria, including conclusions, statuses, and a lookback period.

Conclusion
Name

Ownership CQL

All ownership details

A special built-in type that supports a null check or a count check, used to enforce ownership of entities.

Definition: ownership: Ownership | Null

Example

An initial level in a security Scorecard might include a rule to ensure an entity has at least one team as an owner:

All owner details

List of owners, including team members and individual users, for each entity

Definition: ownership.allOwners()

Example

The Scorecard might include a rule to ensure that entity owners all have an email set:

Team details

List of teams for each entity

Definition: ownership.teams(): List<Team>

Example

The Scorecard might include a rule to ensure that an entity owners all have a description and are not archived:

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

Background sync

Cortex conducts a background sync of GitLab identities every day at 10 a.m. UTC. Merge requests are refreshed every 2 minutes.

FAQ and Troubleshooting

Why is my CQL query git.branchProtection() returning no results or a 403 error?

This can happen if you do not have the read_api scope set for your access token, or if the GitLab user who generated the token does not have at minimum the Maintainer role.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Azure DevOps

Azure DevOps is a Microsoft-owned version control system used for managing the software development lifecycle.

Integrating Cortex with Azure DevOps allows you to:

Automatically discover and track ownership of Azure DevOps entities
Follow a GitOps workflow with Azure DevOps
View information about your Azure DevOps repositories on an entity's details page, including: The repo associated with the entity, recent commits and releases in the event timeline, the most-used language in the files for that entity, the top code contributors, and their number of contributions
- If you pull in , you can also see pipeline runs and builds in the CI/CD section of an entity's details page.
- If you enable the , you will also see a list of open work items on entity pages.
View information about pull requests and work items in the engineering homepage
in Cortex
Use Azure DevOps metrics in Eng Intelligence to understand key metrics and gain insight into services, incident response, and more
Create that track progress and drive alignment on projects involving your repositories, Azure DevOps work items, and Azure DevOps pipeline data

How to configure Azure DevOps with Cortex

Configure the integration in Cortex

You can configure Azure DevOps with a Personal Access Token (PAT) or with a Service Principal with Entra ID.

Prerequisite

Before you get started:

Add a with at least the following scopes enabled:
- Analytics: read

Cortex supports mapping multiple identities for a single user if you have multiple configurations of Azure DevOps. See the for more information.

Enable or disable Azure DevOps work items

On the , you can choose whether Azure DevOps work items should be pulled in from Azure DevOps. Cortex recommends disabling this option if your organization does not use work items or if you are worried about running into rate limit issues.

How to connect Cortex entities to Azure DevOps

Import entities from Azure DevOps

See the for instructions on importing entities.

Editing the entity descriptor

In an entity's YAML, you can define a , , , and .

Define a repository

To define an Azure DevOps repository for a given entity, add the x-cortex-git block to the entity's descriptor.

Field

Description

Required

Only one repository can be defined for in a given entity's YAML in the x-cortex-git block.

Define work items

Before adding work items to your entity YAML, make sure you have in your integration settings.

To define Azure DevOps work items for a given entity, add the x-cortex-azure-devops block to the entity's descriptor. If there is no work item registrations, but the entity matches a repository, we will pull in all work items from the repository's project with a tag that matches the Cortex entity name, , or the repository name.

Example WIQL

The example YAML below is based on the following example WIQL:

Learn more about WIQL in .

Field

Description

Required

Define ownership

Ownership of each entity through Azure DevOps is defined through an owner of type group.

name is a case-sensitive field that corresponds to the upstream identifier of your owner from Azure DevOps.

Learn more about ownership in .

Define pipelines

You can add Azure DevOps pipelines under the x-cortex-azure-devops block:

Field

Description

Required

Learn more about Azure DevOps pipelines in .

Identity mappings for Azure DevOps

Cortex maps users' email addresses to discovered Azure DevOps accounts.

You can confirm users' Azure DevOps accounts are connected from .

Create a work item from an Initiative issue

Initiatives allow you to set deadlines for specific rules or a set of rules in a given Scorecard and send notifications to users about upcoming due dates.

From the Issues tab of an Initiative, you can automatically create a Azure DevOps work item from a failing rule:

Click Create issue.
In the modal that appears, fill out the form:
- Integration: If you have multiple task tracking tools, select Azure DevOps from the Integration dropdown.

The issue configuration will apply to all entities that meet the filter criteria. Once an entity is passing the rule, Cortex will automatically close the associated ticket.

Using the Azure DevOps integration

View Azure DevOps data on entity pages in Cortex

The Azure DevOps integration will populate the Repo detail block on an entity's details page.

In the Recent activity preview, you'll find the recent commits and releases. These will also appear in the event timeline.

These data will appear for entities imported from a Git source or those that have a Git repo defined in their YAMLs.

Events

On an entity's Events page, you can find all of the commits and releases associated with that entity. Each is hyperlinked to the commit or release page in Azure DevOps and includes a timestamp.

CI/CD

From the CI/CD > Deploys page in the entity's sidebar, see a history of pipeline runs.

Repository

You can access more detailed information pulled from Azure DevOps under Repository in the sidebar. At the top of the repository page, you'll find the repo associated with that entity and the most-used language in files for that entity. In the Top contributors block, you'll find the three users who have contributed the most code and the number of their contributions.

In the Commits section, you'll find the 10 most recent commits and metadata about each. Below Commits is the Recent releases section, which includes the 5 most recent releases.

Issue tracking

In the Issue tracking section, you can find a list of open . Each work item will show the title, summary, assignees, priority, and date created.

Packages

To view packages, click Packages in the entity's sidebar.

The following package types are automatically scraped from repositories:

JavaScript / Node.js: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
Python: requirements.txt, pipfile.lock

All other files of these types can be added via the .

Engineering homepage

The Azure DevOps integration enables Cortex to pull information about pull requests and work items into the . You can find your open pull requests, any pull requests assigned to you for review, and any work items assigned to you.

Pull requests and work items from Azure DevOps are refreshed every 5 minutes.

Eng Intelligence

The also uses pull request data from Azure DevOps to generate metrics:

Average PR open to close time
Avg time to first review
Avg time to approval
PRs opened

Read more about how Eng Intelligence tracks metrics for teams and users in the .

Scorecards and CQL

With the Azure DevOps integration, you can create Scorecard rules and write CQL queries based on Azure DevOps work items.

See more examples in the in Cortex.

Approvals required to merge

Total number of approval required to merge a pull request into a repository. Defaults to 0 if no approvals are defined.

Definition: git.numOfRequiredApprovals()

Examples

For a security or development maturity Scorecard, you can write a rule to make sure at least one approval is required for a pull request:

Branches

List all live branches with some basic metadata:

Head
Is protected

Branch protection details

Find details for a specified branch or default branch if none is specified.

Definition: git.branchProtection(branchName: Text?): GitBranchProtection

Examples

For a security Scorecard, you can write a rule to make sure the default branch is protected:

Or to make sure the main branch is protected:

Commits

Get the latest commits (to a maximum of 100) for a defined lookback period (defaulting to 7 days).

These results can be filtered based on branch name, using the default branch if no other branch is provided.

Definition: git.commits()

Examples

You can use the git.commits()

Default branch

Default branch for the entity's repository or main when null.

Definition: git.defaultBranch()

Examples

If default branches should always be named "main," you can write a rule in a best practices Scorecard to make sure entities are compliant:

File contents

Load the contents of a file from the entity's associated repository.

The contents can be validated by using string comparison operations or parsed by the built-in jq function. The jq function will automatically coerce file contents of JSON or YAML formats.

Definition: git.fileContents(<filename: Text>)

File exists

Check if file exists from within the entity's associated repository.

Definition: git.fileExists(<filename: Text>)

Examples

For a development best practices Scorecard, this expression can be used for a rule that makes sure developers are checking in lockfiles to ensure repeatable builds:

In the Query builder, you can use this expression with a wildcard to find entities with unit tests enabled:

Has Cortex YAML (GitOps)

When enabling GitOps to manage entity descriptors, Cortex checks for a checked in file ./cortex.yaml at the root directory. This rule can help track migrations from UI editing to GitOps for entity descriptor management.

Definition: git.hasCortexYaml()

Examples

If you're using a Scorecard to track a migration from Cortex UI to GitOps, you can use this rule to make sure entities are set up for GitOps management of entity descriptors:

Git repository set

Check if entity has a registered Git repository.

Definition: git (==/!=) null

Examples

A Scorecard focused on best practices or standards will likely include a rule in its first level making sure a Git repository is set up:

If an entity is failing this rule, it can indicate broader issues with the integration or explain why an entity isn't functioning as expected.

Last commit details

Provides last commit details.

Definition: git.lastCommit()

Examples

Depending on best practices at your organization, you may want to confirm the last commit for a given entity is no older than 3 days:

Confirming whether a service was updated recently can help team members catch outdated code sooner. Plus, if there is a security issue, you can quickly determine which services have or have not been updated to patch the vulnerability.

List pipelines

List pipelines with metadata, including name, id, url, and project name.

Definition: azureDevops.pipelines()

Examples

You could write a Scorecard rule to ensure that the entity has at least 1 pipeline that scans vulnerabilities:

You could write a Scorecard rule to ensure that the entity has an Azure DevOps pipeline set:

Pipeline build success rate

Percentage of build pipelines that complete successfully.

This is calculated against builds on the default branch for commits in the last 30 days: # successful builds / (# successful + # failed).

Definition: git.percentBuildSuccess()

Examples

Pipeline metrics

List pipelines with metrics. Metrics contains the successRate & averageDuration of a pipeline.

Definition: azureDevops.pipelineMetrics()

Examples

You could write a Scorecard rule to ensure pipelines have a successRate higher than 95%:

Pipeline runs

Get pipelines runs meeting the given filter criteria, which includes results, states. Results include "succeeded", "failed", "canceled", "unknown", states include "completed", "inProgress", "canceling", "unknown".

Definition: azureDevops.pipelineRuns()

Examples

List pipeline runs that are opened and reviewed within 1 day:

Recency of last commit

Calculates the duration of time between Scorecard evaluation and the date of the last commit from the entity's Git repository.

Definition: git.lastCommit().freshness

Examples

One of the first rules you might write for a Scorecard focused on development maturity or security is one validating that the last commit was within the last month:

Reviews

List reviews left during a defined lookback period.

Organization
Repository

Search repository files

Find all instances of code search query from within a repository.

Can filter by path, file name (extension required in file name), or extension. Filters can use * for glob matching. Supplying a query is required.

Definition: git.codeSearch((query = <query: Text>) (, path = <path: Text>) (, fileName = <fileName: Text>) (, fileExtension = <fileExtension: Text>)): List<GitSearchResult>

Examples

Top repository language

Find top used language for a repository, if available.

Definition: git.topLanguage()

Examples

Let's say the primary language developers should be using is Kotlin. You can write a rule to make sure that the top language associated with entities is Kotlin:

You can also use this expression to query for entities that don't have Kotlin as the top language to identify those that need to be updated:

Work items

Number of unresolved work items associated with the entity, where unresolved is defined as the WIQL [System.State] NOT IN ('Closed', 'Done', 'Completed', 'Inactive', 'Removed').

Definition: azureDevops.workItems()

Examples

For a Scorecard measuring entity maturity, you can use this expression to make sure entities have fewer than 10 Azure DevOps work items:

Work items from WIQL query

Number of work items associated with the entity based on arbitrary WIQL query.

Definition: azureDevops.workItems(query: Text | Null)

Examples

For a more specific rule in an entity maturity Scorecard, you can use this expression with a WIQL query to make sure entities have no more than 3 tickets with "Doing" status and highest priority.

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

Background sync

Cortex conducts a background sync of Azure DevOps identities every day at 10 a.m. UTC. Pull requests and work items are refreshed every 5 minutes.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

## API Spec and Version
openapi: 3.0.0

# Service Descriptors

# Required fields: info, title, x-cortex-tag
info:
  title: <HUMAN_READABLE_SERVICE_NAME>
  x-cortex-tag: <SERVICE_TAG>
   description: <DESCRIPTION>

  # Groups
  # !Groups must contain only alphanumeric characters, and may not contain whitespaces!
  x-cortex-groups:
    - <GROUP_NAME>
    - <GROUP_NAME>
    - <GROUP_NAME>
  
  # Owners
  x-cortex-owners:
    - type: group
      name: my-team
      provider: CORTEX # Use when referring to a team defined in Cortex; these teams do not map to identities from integrations
      description: This is a description for this owner
    - type: email
      email: [email protected]
      description: This is a description for this owner
    - type: group
      name: team-name
      provider: ACTIVE_DIRECTORY | AZURE_DEVOPS | BAMBOO_HR | GITHUB | GITLAB | GOOGLE | OKTA | OPSGENIE | SERVICE_NOW | WORKDAY
  # Also see the team entity example below
  
  # Links
  x-cortex-link:
     - name: <HUMAN_READABLE_NAME>
       type: <TYPE>
       url: <URL_TO_LINK>
       description: <DESCRIPTION>
  ## Note that type of OPENAPI/ASYNC_API will be displayed in the API Explorer tab in the Cortex UI
  ## Links support relative URLs

  # Dashboards
  x-cortex-dashboards:
   embeds:
     - type: <datadog | grafana | newrelic>
       url: <URL>

  # Custom Data
  x-cortex-custom-metadata:
     my-key: the value
     another-key:
       this: is
         an: object
     my-key-2:
       value: the actual value for the key
       description: This is the description
     final-key:
       - also
       - use
       - lists!
       
  # Custom entities
  # You cannot create a custom entity type via GitOps, but after creating the type in the UI or API, you can create custom entities via GitOps.
  title: Sally S
  description: Technical writer
  x-cortex-tag: employee-sally
  x-cortex-type: org-employees
  x-cortex-definition:
    location: San Diego
    department: Engineering

  # Parent and child relationships
  x-cortex-type: team
  x-cortex-children:
  - tag: child-team-1
  - tag: child-team-2
  
  x-cortex-type: domain
  x-cortex-parents:
  - tag: parent-team-1
  - tag: parent-team-2
  
  # Entity relationships
  x-cortex-relationships:
  - type: relationship-type-name
    destinations:
    - tag: destination-entity-1
    - tag: destination-entity-2
  

  # Dependencies
  # Required fields: x-cortex-tag, method (required if path present), path (required if method present)
  x-cortex-dependency:
       - tag: <TAG>
         method: <HTTP_METHOD>
         path: <PATH_FOR_METHOD>
         description: <DESCRIPTION>
         metadata:
           tags:
             - <TAG_1>
             - <TAG_2>
           prod: true
           
 # Team configurations
 title: Eng Team
 x-cortex-tag: eng-team
 x-cortex-type: team
 x-cortex-team:
   groups:
   - name: eng-team
     provider: OKTA
   members:
   - name: Eng Manager
     email: [email protected]
     notificationsEnabled: true 
   - name: Product Manager
     email: [email protected]
     notificationsEnabled: false
  x-cortex-children:
    - tag: infra-team
    - tag: sre-team
 
 # Domain configurations
   x-cortex-type: domain
   x-cortex-owners:
     - type: GROUP
       name: cortexapps/engineering
       provider: GITHUB
       interitance: APPEND | FALLBACK | NONE 
   x-cortex-children:
     - tag: chat-service
       tag: chat-database
       


  # Integrations
  
  # Apiiro
  x-cortex-apiiro:
    repositories:
      - alias: alias-one
        repositoryId: repository-one
      - alias: alias-two
        repositoryId: repository-two
    applications:
      - alias: alias-one
        applicationId: application-one
      - alias: alias-two
        applicationId: application-two
  
  # AWS Cloud Control types
  x-cortex-infra:
    aws:
      cloudControl:
      - type: AWS::RDS::DBInstance
        region: us-west-2
        accountId: "123456123456"
        identifier: rds-example
  
  # AWS ECS
  x-cortex-infra:
    aws:
      ecs:
        - clusterArn: <CLUSTER_ARN>
          serviceArn: <SERVICE_ARN>
        - clusterArn: <CLUSTER_ARN_2>
          serviceArn: <SERVICE_ARN_2>

  # Azure DevOps
  x-cortex-git:
    azure:
      project: <project-name>
      repository: <repository-name>
       
  # Azure Resources
  x-cortex-azure:
    ids:
    - id: /subscriptions/1fbb2da1-2ce7-45e4-b85f-676ab8e12345/resourceGroups/GROUP1/providers/Microsoft.Compute/disks/vm1_disk1_3d9f85717666435e9e87e4883d31a7e9
      alias: my-default-alias # alias is optional and only relevant if you have opted into multi account support
    - id: /subscriptions/1fbb2da1-2ce8-45e4-b85f-676ab8e12345/resourceGroups/GROUP2/providers/Microsoft.Compute/disks/vm1_disk1_3d9f85717666435e9e87e4883d31a7e0
      alias: my-other-alias # alias is optional and only relevant if you have opted into multi account support

  # BambooHR
  x-cortex-owners:
    - type: group
      name: <TEAM_NAME>
      provider: BAMBOO_HR
      description: # optional

  # Bitbucket
  x-cortex-git:
    bitbucket:
      repository: <workspace>/<repo>
   x-cortex-owners:
       - type: group
         name: <TEAM_NAME>
         provider: BITBUCKET
         description: # optional
         
  # Bugsnag
  x-cortex-bugsnag:
    project: <PROJECT_KEY> # projectKey in Bugsnag
     
  # Buildkite
  x-cortex-ci-cd:
    buildkite:
      pipelines:
        - slug: my-buildkite-pipeline-slug-1
        - slug: my-buildkite-pipeline-slug-2
      tags:
        - tag: my-buildkite-tag-1
        - tag: my-buildkite-tag-2

  # Checkmarx
  x-cortex-checkmarx:
    projects:
      - projectName: My Cool Project
      - projectId: 1234
  
  # CircleCI
  x-cortex-circle-ci:
      projects:
      - projectSlug: circleci-projectslug # projectslug in CircleCI
        alias: circleci-alias # alias is optional and only relevant if you have opted into multi account support
  
  # ClickUp
  x-cortex-issues:
    clickup:
      spaces:
      - identifier: 123456789
        identifierType: ID
      folders:
      - identifier: my-folder
        identifierType: NAME
      tags:
      - name: tag a
      - name: tag b
  
  # Codecov
  x-cortex-static-analysis:
    codecov:
      owner: org-name
      repo: my-project
      provider: AZURE_DEVOPS | BITBUCKET | BITBUCKET_SERVER | GITHUB | GITHUB_ENTERPRISE | GITLAB | GITLAB_ENTERPRISE
      flag: flag

  # Coralogix
  x-cortex-coralogix:
    applications:
    - applicationName: my-app # application name tied to alert
      alias: my-alias # alias is optional and only relevant if you have opted into multi account support
  
  # Datadog
  x-cortex-apm:
    datadog:
      serviceTags: # List of tags & values
       - tag: <KEY>
         value: <VALUE>
       - tag: <KEY>
         value: <VALUE>
  .   serviceName: <NAME IN DATADOG>
      monitors:
        - monitor-id
        - monitor-id-2
  x-cortex-slos:
     datadog: # List of SLO ids
       - id: slo-id-1
       - id: slo-id-1

  # Dynatrace
  x-cortex-apm:
    dynatrace:
      entityIds:
        - mock-service-id-1
        - mock-service-id-2
      entityNameMatchers:
        - "foo.*"
  x-cortex-slos:
    dynatrace:
      - id: slo-id-1
      - id: slo-id-2

  # Entra ID (Azure Active Directory)
  x-cortex-owners:
     - type: group
       name: <TEAM_NAME>
       provider: ACTIVE_DIRECTORY
       description: # optional

  # FireHydrant
  x-cortex-firehydrant:
    services:
      - identifier: ASDF1234
        identifierType: ID
      - identifier: service-slug
        identifierType: SLUG

  # GitHub
  x-cortex-git:
    github:
      repository: <org>/<repo>
      basepath: <SERVICE_NAME> # optional
   x-cortex-owners:
     - type: group
       name: <ORGANIZATION>/<TEAM> # Must be of form <org>/<team>
       provider: GITHUB
       description: # optional


  # GitLab
  x-cortex-git:
    gitlab:
      repository: <namespace>/<project>
      basepath: <SERVICE_NAME> # optional
  x-cortex-owners:
    - type: group
      name: Team Name
      provider: GITLAB
      description: This is a description for this owner


  # Google
  x-cortex-owners:
    - type: group
      name: <GROUP_NAME>
      provider: GOOGLE
  x-cortex-dependency:
    gcp:
      labels:
        - key: my-key-1
          value: my-value-1
        - key: my-key-2
          value: my-value-2
  x-cortex-infra:
    Google Cloud:
      resources:
        - resourceName: location/function
          projectId: project1
          resourceType: function
        - resourceName: example-bucket
          projectId: project1
          resourceType: storage
  x-cortex-slos:
    gcp:
      - projectId: cortex-gcp-integration
        serviceId: iLE2e4HvR_iVlxAaBbCc12
      - projectId: cortex-gcp-integration
        serviceId: adfdfdafd

  # Grafana
  x-cortex-dashboards:
    embeds:
      - type: grafana
        url: <embed_url_to_dashboard>
         
  # incident.io
  x-cortex-incident-io:
    customFields:
    - name: Entity
      value: My Entity
      alias: my-default-alias
    - id: Entity_ID
      value: my-second-entity
      alias: my-other-alias

  # Jira
  x-cortex-issues:
    jira:
      labels:
        - <LABEL1>
        - <LABEL2>
      components:
        - <COMPONENT1>
      projects:
        - project1
  # Optional: Override Cortex default Jira query
      defaultJql: 'status = "In Progress"'

  # Kubernetes
  x-cortex-k8s:
    deployment:
      - identifier: namespace/name
        cluster: dev # optional
      - identifier: experiment/scratch
        cluster: dev
      - identifier: default/cortex
        cluster: prod
    argorollout:
      - identifier: namespace/name
        cluster: dev
    statefulset:
      - identifier: namespace/name
        cluster: dev
    cronjob:
       - identifier: namespace/name
         cluster: dev

  # LaunchDarkly
  x-cortex-launch-darkly:
    projects:
      - key: project-key
        environments: # Optional
          - environmentName: prod
          - environmentName: staging
        alias: alias-1 # alias is optional and only relevant if you have opted into multi account support
      - tag: project-tag
        environments: # Optional
          - environmentName: prod
        alias: alias-2 # alias is optional and only relevant if you have opted into multi account support
    feature-flags:
      - tag: feature-flag-tag
        environments: # Optional
          - environmentName: staging
        alias: alias-3 # alias is optional and only relevant if you have opted into multi account support
  
  # Lightstep
  x-cortex-slos:
    lightstep:
      - streamId: <STREAM_ID>
        targets:
        latency:
          - percentile: <PERCENTILE>
            target: <TARGET>
            slo: <SLO>

  # Mend
  x-cortex-static-analysis:
    mend:
      applicationIds:
        - mend_id_1
        - mend_id_2
      projectIds:
        - project_id_1
        - project_id_2
  
  # Microsoft Teams
  x-cortex-microsoft-teams:
    channels:
    - name: team-engineering
      teamName: engineering
      description: This is a description for the engineering channel in Teams.
      notificationsEnabled: true
  
  # New Relic
  x-cortex-apm:
    newrelic:
      applications:
      - applicationId: <APP_ID>
        alias: default-app
      tags:
      - tag: tagKey
        value: tagValue
        alias: default-app
  x-cortex-dashboards:
    embeds:
      - type: newrelic
        url: <FULL_URL_TO_DASHBOARD>

  # Okta
  x-cortex-owners:
    - type: group
      name: <GROUP_NAME> # group name in Okta
      provider: OKTA
      description: # optional

  # OpsGenie
  x-cortex-oncall:
    opsgenie:
      type: SCHEDULE
      id: <SCHEDULE_ID> # Optionally, can use the Rotation UUID instead
  x-cortex-owners:
    - type: group
      name: <GROUP_NAME>
      provider: OPSGENIE
      description: # optional
  x-cortex-alerts:
    - type: opsgenie
      tag: <KEY>
      value: <VALUE>

  # PagerDuty
  x-cortex-oncall:
    pagerduty:
      id: <SERVICE_ID> # Service ID
      type: SERVICE
  x-cortex-oncall:
    pagerduty:
      id: <SCHEDULE_ID> # Schedule ID
      type: SCHEDULE
  x-cortex-oncall:
    pagerduty:
      id: <POLICY_ID> # Escalation Policy ID
      type: ESCALATION_POLICY

  # Prometheus
  x-cortex-slos:
    prometheus:
      - errorQuery: <query>
        totalQuery: <query>
        slo: <slo target number>
        alias: my-prometheus-instance
        name: my-slo-name

  # Rollbar
  x-cortex-rollbar:
    project: <PROJECT_NAME> # projectName in Rollbar
     
  # Rootly
  x-cortex-rootly:
    services:
      - id: ASDF1234
      - slug: service-slug

  # Sentry
  x-cortex-sentry:
    projects:
      - name: my-project # projectName in Sentry
      - name: my-second-project
     
  # Semgrep
  x-cortex-semgrep:
    projects:
    - alias: my_org 
      projectId: 1234567
    - alias: other_org
      projectId: 7654321

  # ServiceNow
  x-cortex-servicenow:
    services:
    - tableName: cortex-services
      id: 1
  x-cortex-owners:
    - type: group
      name: My ServiceNow Team
      provider: SERVICE_NOW
      description: This is a description for this owner # optional

  # Slack
  x-cortex-slack:
    channels:
    - id: ABCDEF123
      notificationsEnabled: true
      description: This is a description for this Slack channel
    - name: team-engineering
      notificationsEnabled: true
      description: A description for this Slack channel.

  # Snyk
  x-cortex-snyk:
    projects:
      - organizationId:<ORGANIZATION_ID>
        projectId: <PROJECT_ID>
        source: CODE

  # SonarQube
  x-cortex-static-analysis:
    sonarqube:
      project: <PROJECT_KEY> # projectKey in SonarQube
      alias: sonarqube-alias

  # Splunk Observability Cloud (SignalFX)
  x-cortex-slos:
    signalfx:
      - query: <FULL_SFX_QUERY>  # Ex. sf_metric:"jvm.memory.max" AND area:"nonheap"
        rollup: <ROLLUP>
        target: <TARGET>
        lookback: <LOOKBACK>
        operation: <OPERATION>
  
  # Splunk On-Call (VictorOps)
  x-cortex-oncall:
    victorops:
      type: SCHEDULE
      id: <SCHEDULE_ID>
       
  # Sumo Logic
  x-cortex-slos:
    sumologic:
      - id: 000000000001234
      - id: 000000000006789
      
  # Veracode
  x-cortex-static-analysis:
    veracode:
      applicationNames:
        - My Application
        - Second Application
      sandboxes:
        - applicationName: My Application
          sandboxName: My Sandbox
        - applicationName: Second Application
          sandboxName: Second Sandbox
          
  # Wiz
  x-cortex-wiz:
    projects:
      - projectId: 01234567-e65f-4b7b-a8b1-5b642894ec37
      
  # Workday
  x-cortex-owners:
    - type: group
      name: workday-team-tag
      provider: CORTEX
      description: This is a description for this owner.
      
  # xMatters
  x-cortex-oncall:
    xmatters:
      id: engineering_group
      type: SERVICE

GitHub

GitHub is a Git-based source code repository. You can use GitHub to share code with team members, track and manage changes to code over time, and collaborate on projects across your organization.

Integrating GitHub with Cortex allows you to:

Automatically discover and track ownership of GitHub entities
Follow a GitOps workflow with GitHub to manage your Cortex workspace
View information about your GitHub repositories on an , including: The repo associated with the entity, recent commits and releases in the event timeline, the most-used language in the files for that entity, the top code contributors, and their number of contributions.
- In an entity's Code & Security section, see vulnerabilities from (Code scanning, Dependabot alerts, CodeQL, and Secret scanning)
View information about pull requests and work items in the
Use GitHub metrics in to understand key metrics and gain insight into services, incident response, and more
Create that track progress and drive alignment on projects involving your repositories

You can also optionally integrate GitHub Copilot with Cortex to:

Track Copilot adoption and impact within

GitHub Copilot integration

If you installed the GitHub app prior to October 14, 2025, you must accept new permissions in order to access Copilot metrics in Cortex. for more information.

How to configure GitHub with Cortex

Prerequisites

If you connect Cortex via a , it must be configured with a token containing the minimum permissions listed below.

Note: The is preconfigured with these permissions.

Repository permissions

Organization-level permissions

Permission

Requirement

Purpose in Cortex

Choose a configuration option

There are multiple options for connecting Cortex to your GitHub instance:

Through Cortex's official GitHub app
- Note: This is supported for use with a single organization in GitHub.
Through a custom GitHub app

If your GitHub setup involves multiple organizations, you can add multiple GitHub apps, use a that has access to all orgs, or create multiple configurations with corresponding aliases.

See the tabs below for instructions on each of the GitHub integration options.

If you're using a self-hosted instance of GitHub, you'll need to verify that your Cortex instance is able to reach the GitHub instance. We route our requests through a static IP address.

Reach out to support at to receive details about our static IP. If you're unable to directly allowlist our static IP, you can route requests through a secondary proxy in your network that has this IP allowlisted and have that proxy route traffic to your GitHub instance.

Configure GitHub with the Cortex GitHub app

is the easiest way to connect your GitHub instance. It is preconfigured with the needed to use this integration. Note that it is not available for Cortex Server.

To set up the app:

In Cortex, navigate to the :

Configure the integration for multiple GitHub accounts

The GitHub integration has multi-account support. You can add a configuration for each additional organization, instance, or account by repeating the process above.

Each configuration requires an alias, which Cortex uses to correlate the designated organization, instance, or account with registrations for various entities. Registrations can also use a default configuration without a listed alias. You can edit aliases and default configurations from the GitHub page in your Cortex settings. Select the edit icon next to a given configuration and toggle Set as default on. If you only have one configuration, it will automatically be set as the default.

Cortex supports mapping multiple identities for a single user if you have multiple configurations of GitHub. See the for more information.

To write rules related to Dependabot alerts, you must verify the necessary permissions are set for repositories you'd like to see vulnerabilities reported on.

To verify, navigate to a repository on GitHub and click "Settings" → "Code security and analysis". Make sure you are a member of a team under "Access to alerts.

Registration

See the for instructions on importing entities.

Entity descriptor

Repository

You can define a GitHub repository for a given entity by adding the x-cortex-git block to the entity's descriptor. When you define a repository, Cortex checks for Security Advisory vulnerabilities from the GraphQL API and Advanced Security vulnerabilities from the Rest API.

Field

Description

Required

Only one repository can be defined for in a given entity's YAML in the x-cortex-git block. Users looking to list additional repositories without the full functionality of GitOps can define the repos as custom data.

Ownership

You can define the following block in your Cortex entity descriptor to add your GitHub teams. Be sure to include both your GitHub organization name and the team name in the name field.

Field

Description

Required

Multiple GitHub organizations are not supported for ownership, and Cortex will use the default configuration when fetching teams.

Identity mappings

Cortex maps users' email addresses to discovered GitHub accounts, so you never need to define email ownership in an entity descriptor. Users must be members of GitHub teams to be pulled in to Cortex.

You can confirm users' GitHub accounts are connected from .

Using the GitHub integration

View GitHub data on entity pages in Cortex

The GitHub integration will populate the Repo and Language detail blocks on an . If a GitHub team has been for an entity, it will also appear in the Owners block.

Code & security

Vulnerabilities appear in the Vulnerabilities block under Code & security on an entity page overview.

Click Code & security in an entity's sidebar to view the full list of vulnerabilities for an entity. Cortex checks for:

Security Advisory vulnerabilities from the GraphQL API
vulnerabilities
- Cortex pulls data from code scanning, Dependabot alerts, CodeQL, and Secret scanning.

GitHub Advanced Security vulnerabilities are not surfaced for monorepos.

You can query for vulnerabilities with CQL and create Scorecard rules based on security metrics. See below.

Events

Recent commits appear at the top of an entity's overview page.

You can also click Events in the entity's sidebar to see all commits and releases associated with that entity. Each is hyperlinked to the commit or release page in GitHub and includes a timestamp.

Repository

You can access more detailed information pulled from GitHub in the Repository page in the sidebar. At the top of the page, you'll find the repo(s) associated with that entity and the most-used language in files for that entity. In the Top contributors block, you'll find the three users who have contributed the most code and the number of their contributions.

In the Commits section, you'll find the 10 most recent commits and metadata about each. Below Commits is the Recent releases section, which includes the 5 most recent releases.

Issue tracking

From the Issue tracking page in the entity's sidebar, you can find a list of open . Each issue will show the number, title, assignees, and date created.

Packages

To view packages, click Packages in the entity's sidebar.

The following package types are automatically scraped from repositories:

JavaScript / Node.js: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
Python: requirements.txt, pipfile.lock

All other files of these types can be added via the .

CI/CD - GitHub workflows

From the CI/CD > GitHub workflows page in the entity's sidebar, you can find a history of runs for the past week. Each run is tagged with its status: IN_PROGRESS, COMPLETED, SUCCESS, CANCELLED, FAILURE, PAUSED.

The GitHub workflows page displays data about workflows in GitHub, not Workflows initiated via .

Team entity pages

When a with a team entity, Cortex will pull GitHub users in to the Members tab. When available, Cortex will pull in the profile picture and email address for each user.

Engineering homepage

The GitHub integration enables Cortex to pull information about pull requests and issues into the . You can find your open pull requests, any pull requests assigned to you for review, and any issues assigned to you.

Pull requests and issues from GitHub are refreshed every 2 minutes.

Eng Intelligence

The uses pull request data from GitHub to generate metrics:

Average PR open to close time
Avg time to first review
Avg time to approval
PRs opened

Eng Intelligence also pulls in data from Copilot to show AI impact in the .

You can read more about how Eng Intelligence tracks metrics for teams and users in the .

To add deployments for your Github related entity, you can send a deployment event to the

Scorecards and CQL

With the GitHub integration, you can create Scorecard rules and write CQL queries based on GitHub data.

See more examples in the in Cortex.

Approvals required to merge

Number of approvals required to merge a pull/merge request into a repository. Defaults to 0 if no approvals are defined.

Definition: git.numOfRequiredApprovals()

Examples

For a security or development maturity Scorecard, you can write a rule to make sure at least one approval is required to merge a pull/merge request:

Git repository set

Check if an entity has a registered Git repository.

Definition: git (==/!=) null: Boolean

Example

In a Scorecard, you can write a rule that detects whether an entity has a Git repository set:

Branches

List all live branches with some basic metadata.

Head
Is protected

Branch protection details

Find details for specified branch, or default branch if none is specified.

Branch name
Code owner reviews required

Commits

Get the latest commits (to a maximum of 100) for a defined lookback period (defaulting to 7 days).

Date
Message

Default branch

Default branch for the repository, or main when null.

Definition: git.defaultBranch()

Example

If default branches should always be named "main," you can write a rule to make sure entities follow this practice:

File contents

Load the contents of a file from the entity's associated repository.

The contents can be validated by using string comparison operations or parsed by the built-in jq function. The jq function will automatically coerce file contents of JSON or YAML formats.

Definition: git.fileContents()

Example

For a Scorecard focused on development maturity, you could use the

File exists

Check if file exists from within the entity's associated repository.

Definition: git.fileExists()

Examples

For a Scorecard focused on best practices, you can make sure that repositories contain a README.md file:

This rule would make sense in the first level because it's so essential.

Number of Git vulnerabilities

Check the number of vulnerabilities for an entity's associated repository.

You can filter by severity (by default searches by all severities) or source (by default only searches GitHub security advisories).

When using the GitHub Advanced Security source, severities displayed in the UI may not match severities returned by the API.

Definition: git.numOfVulnerabilities()

List of Git vulnerabilities

Lists the vulnerabilities for an entity's associated repository. You can filter by severity (by default searches by all severities) or source (by default only searches GitHub security advisories). Note when using the GitHub Advanced Security source, severities displayed in the UI may not match severities returned by the API.

Definition: git.vulnerabilities()

Examples

You could write a Scorecard rule that verifies an entity has fewer than 5 Git vulnerabilities:

Has Cortex YAML

Check if a repository has a valid cortex.yaml file checked in at the root directory (when GitOps is enabled).

Definition: git.hasCortexYaml()

Example

If you're using a Scorecard to track a migration from Cortex UI to GitOps, you can use this rule to make sure entities are set up for GitOps management of entity descriptors:

Last commit details

Provides last commit details.

Date
Message

Pull requests

Lists pull requests opened during a defined lookback period.

Approval date
Author

Reviews

List reviews left during a defined lookback period.

Organization
Repository

Workflow runs

Get workflow runs meeting given filter criteria, including conclusions, statuses, and a lookback period.

Conclusion
Name

Ownership CQL

All ownership details

A special built-in type that supports a null check or a count check, used to enforce ownership of entities.

Definition: ownership: Ownership | Null

Example

An initial level in a security Scorecard might include a rule to ensure an entity has at least one team as an owner:

All owner details

List of owners, including team members and individual users, for each entity

Definition: ownership.allOwners()

Example

The Scorecard might include a rule to ensure that entity owners all have an email set:

Team details

List of teams for each entity

Definition: ownership.teams(): List<Team>

Example

The Scorecard might include a rule to ensure that an entity owners all have a description and are not archived:

Copilot CQL

AI adoption

The ratio of licensed seats that were active users of AI coding tools in a given time period. Returns a value between 0 and 1, where 1 represents 100% adoption. Note: This metric is only available for Team entities.

Definition: aiTools.analysis(lookback: Duration).aiAdoptionRate

Example

You could create a Scorecard rule to make sure AI adoption rate is at least 50% over the previous 30 days:

Active AI users

The number of users who used AI coding tools in a given time period. Note: This metric is only available for Team entities.

Definition: aiTools.analysis(lookback: Duration).activeAiUsers

Example

You could create a Scorecard rule to verify you had at least 5 active AI users in the last 7 days:

External repositories

By default, each GitHub rule is evaluated on the repository defined in a given entity descriptor. If the base path parameter has been set, CQL rules will automatically scope to the base path subdirectory.

To evaluate the rule for a service for an external repository, pass the repo identifier in the git(repoIdentifier: Text) command (e.g. git("github:org/repositoryName")).

This can be combined with other CQL rules. For example, a rule based on a dynamic external repository with custom data would be git("github:" + custom("my-custom-repo")).fileExists("README.md").

View integration logs

This feature is available to Cortex cloud customers.

On the integration settings page, click the Logs tab to view logs from the last 7 days. Learn more in .

Background sync

Cortex conducts a background sync of GitHub identities every day at 10 a.m. UTC. Pull requests and issues are refreshed about every 10 minutes.

FAQs and troubleshooting

I'm getting this error: "{"message":"Not Found", "documentation_url":"https://docs.github.com/rest/repos#get-a-repository"}".

If you've set up multiple GitHub accounts/organizations, Cortex will not be able to identify the correct one unless the alias variable is defined.

What if I have multiple email addresses set in my GitHub account?

Cortex will only detect the primary email address associated with your GitHub account if it is public.

If Cortex is not correctly pulling in user emails, ensure the given user(s) have allowed their email address to be public. Make sure the "Keep my email address private" setting is unchecked in the user's personal GitHub settings.

My ownership isn't being automatically mapped through GitHub.

If the email address associated with your Cortex account is not the same as your GitHub email address, you need to add your Cortex email address to the Public email dropdown in GitHub settings.

Github OAuth, which you can configure in Cortex user settings, allows you to link your GitHub username with your Cortex account, even if you don't have a public email set up on GitHub.

Still need help?

The following options are available to get assistance from the Cortex Customer Engineering team:

Email: , or open a support ticket in the in app Resource Center
Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

Cortex Docs

Cortex Documentation

hashtagGet started with Cortex

hashtagCortex video overview

hashtagAccelerate the path to Engineering Excellence

Get Started

Cortex Quick Start

hashtagNeed additional guidance?

hashtagGetting started in Cortex

hashtagFollowing the streamlined onboarding

hashtagAdditional information

hashtagData modeling

hashtagTracking ownership with teams

hashtagExplore additional resources

Connect data

Overview: Ingesting data into Cortex

hashtagHow Cortex handles data modeling

hashtagConnect your data

hashtagCortex data concepts reference table

YAML linter tool

hashtagUsing the YAML linter

hashtagValidate a YAML file in the Cortex UI

hashtagValidation scope

hashtagGitOps settings for the linter tool

Adding entities

Add services

hashtagView services

Grouping entities

Viewing discovered entities

hashtagView the discovered entities

hashtagFilter the discovered entities list

hashtagImporting and removing entities

hashtagImport discovered entities

hashtagDelete discovered entities

hashtagIgnore discovered entities

hashtagTroubleshooting and FAQ

hashtagWhy do I not see all of my services from my APM provider in the discovered entities list?

Archiving entities

hashtagHow to archive and unarchive entities

Relationship graph

Using On-call Assistant for incidents

hashtagHow On-call Assistant works

hashtagNotifications

hashtagView runbooks and other links

hashtagView dependencies

hashtagEnabling On-call Assistant

hashtagPrerequisites

hashtagEnable On-call Assistant in Cortex

hashtagConfigure a webhook for read-only API keys

Manage entities using Cortex Terraform Provider

BambooHR

hashtagOverview

hashtag

CircleCI

Coralogix

hashtagOverview

hashtagHow to configure Coralogix with Cortex

hashtagPrerequisites

hashtagStep 1: Configure the integration in Cortex

hashtagHow to connect Cortex entities to Coralogix

hashtagDiscovery

hashtagEditing the entity descriptor

hashtagUsing the Coralogix integration

hashtagScorecards and CQL

hashtagView integration logs

Grafana

Humanitec

hashtagHow to integrate Humanitec with Cortex

Instana

hashtagOverview

hashtag

Lightstep

hashtagOverview

hashtag

Syntasso Kratix Enterprise (SKE)

Standardize

Scorecard rule filters

hashtagHow to set up a Scorecard rule filter

hashtagExample Scorecard rule filter

hashtagView the filter on the Scorecard home page

Get started with Cortex

Cortex video overview

Accelerate the path to Engineering Excellence

Need additional guidance?

Getting started in Cortex

Following the streamlined onboarding

Additional information

Data modeling

Tracking ownership with teams

Explore additional resources

How Cortex handles data modeling

Connect your data

Cortex data concepts reference table

Using the YAML linter

Validate a YAML file in the Cortex UI

Validation scope

GitOps settings for the linter tool

View services

View the discovered entities

Filter the discovered entities list

Importing and removing entities

Import discovered entities

Delete discovered entities

Ignore discovered entities

Troubleshooting and FAQ

Why do I not see all of my services from my APM provider in the discovered entities list?

How to archive and unarchive entities

How On-call Assistant works

Notifications

View runbooks and other links

View dependencies

Enabling On-call Assistant

Prerequisites

Enable On-call Assistant in Cortex

Configure a webhook for read-only API keys

Overview

Overview

How to configure Coralogix with Cortex

Prerequisites

Step 1: Configure the integration in Cortex

How to connect Cortex entities to Coralogix

Discovery

Editing the entity descriptor

Using the Coralogix integration

Scorecards and CQL

View integration logs

How to integrate Humanitec with Cortex

Overview

Overview

How to set up a Scorecard rule filter

Example Scorecard rule filter

View the filter on the Scorecard home page

Using the YAML linter

Validate a YAML file in the Cortex UI

Validation scope

GitOps settings for the linter tool

Get started with Cortex

Cortex video overview

Accelerate the path to Engineering Excellence

How to archive and unarchive entities

How archived entities are handled in Cortex

The "All entities" and Catalogs pages

An entity details page

Entity configuration

The discovered entities list

How to define and apply groups

Troubleshooting and FAQ

When should I use groups instead of custom data?

What is the difference between `x-cortex-service-groups` and `x-cortex-groups`?

How Cortex handles data modeling

Connect your data

Cortex data concepts reference table

View the discovered entities

Filter the discovered entities list

Importing and removing entities

Import discovered entities

Delete discovered entities

Ignore discovered entities

Troubleshooting and FAQ

Why do I not see all of my services from my APM provider in the discovered entities list?