Pillar Security
Visualize your Pillar Security AI-asset inventory and findings in the JupiterOne graph. Map the AI coding assistants, agents, tools, and MCP clients Pillar discovers across your developer endpoints and source-control repositories, relate them to the users and repositories that own them, and monitor Pillar's security findings — secret leaks, sensitive data in metaprompts, and prompt-injection risks — through custom queries and alerts.
- Installation
- Authorization
- Data Model
- Types
- Release Notes
Installation
The Pillar integration ingests your Pillar Security AI-asset inventory and findings using the Pillar API (https://api.pillar.security). It reads the endpoint inventory (/api/v1/inventory/endpoints), the repository inventory (/api/v1/inventory/repositories), and security issues (/api/v1/issues) to build a graph of the AI coding assistants, agents, tools, and MCP clients discovered across your developer machines and source-control repositories, along with the users and repositories that own them. Before setting up the integration in JupiterOne, you will need to create an API key in the Pillar dashboard.
Prerequisites
- A Pillar Security account with at least one application configured in the Inventory.
- Permission in the Pillar dashboard to create an API key for that application.
- Access to JupiterOne with permission to configure integrations.
Creating an API key in Pillar
- Log in to the Pillar Security dashboard.
- Navigate to Inventory and select the application you want JupiterOne to ingest.
- Open Settings > API Keys.
- Create a new API key and give it a recognizable name (for example,
JupiterOne Integration). - Copy the generated key — it is used as a bearer token and is shown only once.
The integration only reads from Pillar. The API key is used as a Bearer token against the inventory and issues endpoints — no write scopes are required. If your Pillar API key serves multiple applications (for example, gateway integrations such as LiteLLM, Kong, or ngrok), note the Application ID you want to scope ingestion to; you can supply it during configuration below. Most installs leave this unset.
Configuration in JupiterOne
To install the Pillar integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Pillar. Click New Instance to begin configuring your integration.
Creating an instance requires the following:
-
The Account Name used to identify the Pillar account in JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen theAccountNametoggle is enabled. -
Description to assist in identifying the integration instance, if desired.
-
Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as
DISABLEDand manually execute the integration. -
Your Pillar API Key — the key created above. This field is required.
-
Optionally, an API Base URL to override the Pillar API endpoint. Leave blank to use the default
https://api.pillar.security. Only override this for self-hosted Pillar Stack deployments. -
Optionally, an Application ID — the
x-plr-app-idvalue used to scope requests to a specific Pillar application when a single API key serves multiple applications. Most installs leave this unset.
Click Create once all values are provided to finalize the integration.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Pillar Account | pillar_account | Account |
| Pillar AI Agent | pillar_agent | Application, NHI |
| Pillar Coding Assistant | pillar_coding_assistant | Application, NHI |
| Pillar Endpoint | pillar_endpoint | Host |
| Pillar Issue | pillar_issue | Finding |
| Pillar MCP Client | pillar_mcp_client | Application, NHI |
| Pillar Platform Integration | pillar_platform_integration | Application, NHI |
| Pillar Repository | pillar_repository | CodeRepo |
| Pillar Tool | pillar_tool | Application, NHI |
| Pillar User | pillar_user | User |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
pillar_account | HAS | pillar_endpoint |
pillar_account | HAS | pillar_repository |
pillar_account | HAS | pillar_issue |
pillar_endpoint | HAS | pillar_agent |
pillar_issue | EXPLOITS | pillar_tool |
pillar_repository | HAS | pillar_coding_assistant |
pillar_repository | HAS | pillar_platform_integration |
pillar_repository | HAS | pillar_tool |
pillar_repository | HAS | pillar_mcp_client |
pillar_user | HAS | pillar_agent |
Mapped Relationships
The following mapped relationships are created:
Source Entity _type | Relationship _class | Target Entity _type | Direction |
|---|---|---|---|
pillar_repository | SCANS | code_repo | FORWARD |
Pillar Account
pillar_account inherits from Account
| Property | Type | Description | Specifications |
|---|---|---|---|
apiBaseUrl | string | The Pillar API base URL the integration is configured against (e.g. https://api.pillar.security). Set when self-hosted Pillar Stack is in use. | |
appId | string | Optional x-plr-app-id value used to scope requests to a specific Pillar application. Echoed onto the account so consumers can see which Pillar tenant each ingestion run covered. |
Pillar Agent
pillar_agent inherits from Application, NHI
| Property | Type | Description | Specifications |
|---|---|---|---|
agentName * | string | null | Agent identifier (e.g. claude-code, cursor, windsurf). Sourced from agents[].agentName. | |
agentType * | string | null | Agent form factor (cli, ide, etc.). Sourced from agents[].agentType. | |
agentVersion * | string | null | Installed agent version, when reported. Sourced from agents[].agentVersion. | |
mcpCount * | number | null | Number of MCP servers the agent has configured. Sourced from agents[].mcpCount. | |
organization * | string | null | Organisation affiliation reported by the agent's logged-in user. Sourced from agents[].organization. | |
permissionMode * | string | null | Permission mode in effect for the agent (ask, auto, bypass). Sourced from agents[].permissionMode. | |
sandboxEnabled * | boolean | null | Whether the agent is configured to run in sandbox mode. Sourced from agents[].sandboxEnabled. |
Pillar Coding Assistant
pillar_coding_assistant inherits from Application, NHI
| Property | Type | Description | Specifications |
|---|---|---|---|
category * | string | null | Pillar-side classification of the assistant. Sourced from codingAssistants[].category. | |
hasMcp * | boolean | null | Whether Pillar found MCP server configuration for this assistant in the repository. | |
hasRuleFiles * | boolean | null | Whether Pillar found rule / configuration files for this assistant in the repository. | |
tool * | string | null | Coding assistant tool name (e.g. claude-code, cursor, copilot). Sourced from codingAssistants[].tool. |
Pillar Endpoint
pillar_endpoint inherits from Host
| Property | Type | Description | Specifications |
|---|---|---|---|
criticalFindings * | number | null | Critical-severity findings from the latest scan. | |
firstSeenOn * | number | null | Epoch ms of the first Pillar scan against this machine. Parsed from firstSeen. (Host base class supplies lastSeenOn.) | |
highFindings * | number | null | High-severity findings from the latest scan. | |
latestReportId * | string | null | Pillar UUID for the most recent endpoint scan — feed into /inventory/scans/:id?source=endpoint to fetch the full report. | |
lowFindings * | number | null | Low-severity findings from the latest scan. | |
mediumFindings * | number | null | Medium-severity findings from the latest scan. | |
totalFindings * | number | null | Total finding count from the latest scan. | |
totalReports * | number | null | All-time count of scan reports submitted from this machine. | |
username * | string | null | OS username under which the latest Pillar scan ran. Sourced from Pillar username. |
Pillar Issue
pillar_issue inherits from Finding
| Property | Type | Description | Specifications |
|---|---|---|---|
assetType * | string | null | Type of asset where the issue was found (metaprompts, tools). Sourced from issues[].assetType. | |
currentStatus * | string | null | Issue status (open, closed). Sourced from issues[].currentStatus. | |
evidenceCategory * | string | null | Category of evidence (secret, pii, pci, access_capabilities, prompt_injection, evasion). Sourced from issues[].evidenceCategory. | |
evidencePath * | string | null | URL path to the location where the issue was found. Sourced from issues[].evidence.path. | |
evidenceType * | string | null | Specific finding type (e.g. github_token, credit_card, email_address). Sourced from issues[].evidence.finding.type. | |
issueDetailDescription * | string | null | Human-readable issue description. Sourced from issues[].issueDetailDescription. | |
source * | string | null | Source of the discovery (e.g. Discovery Scan). Sourced from issues[].source. |
Pillar Mcp Client
pillar_mcp_client inherits from Application, NHI
| Property | Type | Description | Specifications |
|---|---|---|---|
framework * | string | null | Framework the MCP client was detected within. | |
mcpName * | string | null | MCP client name. Sourced from mcpClients[].name. | |
mcpType * | string | null | Pillar-side MCP type classification. | |
transport * | string | null | MCP transport (e.g. stdio, http, sse). Sourced from mcpClients[].transport. |
Pillar Platform Integration
pillar_platform_integration inherits from Application, NHI
| Property | Type | Description | Specifications |
|---|---|---|---|
framework * | string | null | Framework Pillar attributed this integration to (e.g. LangChain, OpenAI SDK). | |
isPureAIService * | boolean | null | Whether the platform is exclusively an AI service (true) or a general-purpose platform that happens to host AI (false). | |
pillarService * | string | null | The Pillar-side service classification for this integration (e.g. chat completions, embeddings). Sourced from platformIntegrations[].service. | |
platform * | string | null | Upstream AI platform (e.g. OpenAI, Anthropic, AWS Bedrock). Sourced from platformIntegrations[].platform. |
Pillar Repository
pillar_repository inherits from CodeRepo
| Property | Type | Description | Specifications |
|---|---|---|---|
codingAssistantsCount * | number | null | Number of distinct AI coding assistants detected in the repo (rule files, MCP configs). | |
defaultBranch * | string | null | Default branch name as observed by Pillar at scan time. Sourced from Pillar defaultBranch. | |
hasLlmUsage * | boolean | null | Whether Pillar detected LLM (generative AI) usage in the repository. | |
hasMlUsage * | boolean | null | Whether Pillar detected ML (classical machine learning) usage in the repository. | |
language * | string | null | Primary repository language detected by the SCM. Sourced from Pillar language. | |
llmFrameworks * | array | null | LLM frameworks detected in the repository (e.g. LangChain, LangGraph, OpenAI SDK). Sourced from Pillar llmFrameworks. | |
mcpClientsCount * | number | null | Number of MCP client configs detected in the repo. | |
mlFrameworks * | array | null | ML frameworks detected in the repository (e.g. TensorFlow, PyTorch, Scikit-learn). Sourced from Pillar mlFrameworks. | |
platformIntegrationsCount * | number | null | Number of AI platform integrations detected in the repo. | |
scanId * | string | null | Pillar scan UUID for the most recent scan of this repo. | |
scannedOn * | number | null | Epoch ms of the most recent Pillar scan. Parsed from Pillar scanDate. | |
scanStatus * | string | null | Status of the most recent Pillar scan. | |
scm * | string | null | Source-control platform that hosts the repo (github, gitlab, azure_devops). Sourced from Pillar scm. | |
toolsCount * | number | null | Number of AI tool definitions detected in the repo. |
Pillar Tool
pillar_tool inherits from Application, NHI
| Property | Type | Description | Specifications |
|---|---|---|---|
fileLine * | number | null | Line number where the tool is defined. Sourced from tools[].line. | |
filePath * | string | null | Repo-relative file path where the tool is defined (e.g. src/app.py). Sourced from tools[].path; null for scans predating tool-location capture. | |
framework * | string | null | Framework the tool is defined in (e.g. LangChain, LangGraph). Sourced from tools[].framework. | |
isPoisoned * | boolean | null | Whether Pillar has flagged the tool as poisoned (contains prompt-injection or other attacker-controlled content). Sourced from tools[].postureSummary.isPoisoned. | |
postureCategory * | string | null | Pillar's posture category for the tool (e.g. read_only, code_execution). Sourced from tools[].postureSummary.category. | |
postureFindingsCount * | number | null | Number of posture findings against the tool. Sourced from tools[].postureSummary.findingsCount. | |
toolName * | string | null | Tool name. Sourced from tools[].name. | |
toolType * | string | null | Pillar-side tool classification. Sourced from tools[].type. |
Pillar User
pillar_user inherits from User
| Property | Type | Description | Specifications |
|---|---|---|---|
organization * | string | null | Organisation affiliation reported by Pillar for this user, when present. Sourced from the agent install's organization field. |
Release Notes
- 2026-07-13 — New Pillar Security integration: ingests the account, developer endpoints and their installed AI coding assistants, source-control repositories with their discovered AI assets (coding assistants, platform integrations, tools, and MCP clients), and security issues, and projects a SCANS relationship from Pillar repositories to native code repositories.