Atlassian Security in Jira
StackHawk’s official Security in Jira integration.
The Security in Jira integration will automatically send HawkScan findings to Jira Projects enabled with Jira Security.
Security in Jira enables existing Jira users to view all the vulnerabilities found by various security tools. StackHawk improved the existing Jira Cloud integration to support sending HawkScan vulnerabilities to the Jira security tab.
This integration works alongside the existing StackHawk Jira Cloud integration, and uses the same Atlassian marketplace addon. Enabling this integration also installs the StackHawk Jira Cloud integration.
- HawkScan findings will automatically be sent as vulnerabilities to the Security tab in Security-enabled Jira Projects.
- Vulnerabilities in Jira can be converted to Jira issues within the Jira user interface, making for easy tracking of security issues alongside other stories and bugs.
- You must have a StackHawk account.
- Your StackHawk Organization must belong to a plan with Security in Jira support enabled. Reach out to email@example.com to enable it.
- You must have login permissions to the Jira workspace you wish to add the integration to.
- You must have sufficient administration permissions to install add-ons to your Jira Cloud workspace.
- You must have the security tab enabled in your Jira project.
NOTE: If you are an existing user of StackHawk’s Jira Cloud integration, your installation of the integration needs to be upgraded in your Jira instance. See the instructions on upgrading your Jira Cloud installation
With this integration you authorize StackHawk with the following Jira Cloud scopes:
- Read access to the connected Jira Cloud workspace
- Write access to the connected Jira Cloud workspace
- Delete access to the connected Jira Cloud workspace
For the best experience with the Jira Security integration, we recommend inviting colleagues within your organization to the StackHawk platform.
Enabling the Security Tab
In order to enable the security tab in Jira:
- Navigate to a project.
- Go to Project Settings > Features.
- Under Development and next to Security, there will be a toggle switch. Click this toggle switch to enable Security in Jira.
- After clicking the toggle switch, the security tab should be visible in your Jira Project.
- If StackHawk’s Jira Security integration will be used across multiple projects, then this feature should be enabled in each of those projects.
Click here to install the StackHawk for Jira Cloud add-on from the Atlassian Marketplace
The StackHawk for Jira App will first need to be installed from the Atlassian marketplace, before it can be connected to a StackHawk organization.
- Log into StackHawk and visit the Jira Cloud Integration page in StackHawk
Enable Jira. This will generate the temporary integration token.
- Click the
View In Marketplacebutton. This will open a new tab to add the StackHawk add-on from the Atlassian Marketplace.
- In the new tab, click
Installto add the app in your Jira Cloud workspace and go through installation process. Once completed, you can press
Get Startedto authorize the add-on with your Jira Cloud workspace.
Additionally, the app can be installed through the security tab. To install from the security tab:
- Navigate to a Jira project.
- Click the security tab in your project.
Only a single Jira Security integration needs to be installed for each StackHawk organization. Installation of the integration connects one StackHawk organization and one Jira instance, but allows for sending vulnerabilities to multiple Jira projects within that instance.
Once the StackHawk add-on has been installed in Jira Cloud, a one-time integration token from StackHawk needs to be copied into Jira Cloud to connect the Jira Cloud Workspace with your StackHawk organization.
- After installing the app from the Marketplace, go to the Jira page in StackHawk.
- Copy the UUID integration token. Note: this key is time-sensitive, and will expire after one hour.
- In Jira Cloud, go to
Apps > Manage Your Apps > StackHawk for Jira > Get Started.
- Paste the integration token into the
StackHawk Integration Tokenfield.
- If successful, your Jira Cloud workspace will now be connected to your StackHawk organization, and the integration completed.
You can verify the Jira Cloud App installation at any time after configuring a integration token.
- Go to the Jira Security page in StackHawk.
- You should see a
Connected to: <your workspace URL>, which indicates the integration has been linked to that Jira Cloud Workspace.
The applications and environments which will send their vulnerabilities to Jira are configured from the StackHawk platform. This setup is a manual step to ensure that users have control over their vulnerabilities data and that vulnerability data isn’t being sent without user knowledge.
To configure the integration:
- Navigate to the integration page on the StackHawk platform, then the Jira Security tile.
- Click the “Add Connection” button, which will bring up the Add Connection modal
- In the modal, select the applications and specific environments whose scan results should be sent to a project’s security tab. If you would like all scan data in this organization to be sent to Jira, then select “All Applications” and “All Environments.”
- Finish by clicking the “Continue” button. The configured applications and environments should now start sending their data to Jira.
Adding Security Containers to Projects
In order to associate the scan results from applications and environments to the security tab of specific projects, those applications/environments must be added as security containers to those projects. To do this:
- On a project page, navigate to the Project Settings > Toolchain.
- Click “View all tools” if it is not already selected by default.
- If a section for “StackHawk for Jira” does not appear here, then it may be necessary to add it to the toolchain page. This can be done by clicking the “Add” button in the top-left corner and clicking “Add security container.” A modal will appear with an option to add “StackHawk for Jira” to the toolchain.
- Once the “StackHawk for Jira” section is visible, click the plus(+) icon which will open the Add Container modal.
- Select a container in the dropdown and click “Add container”
- The container will then be added to the project, making any vulnerabilities sent for that application and environment visible on the project’s security tab.
Vulnerabilities in Jira
After a connection between the application/environment and Jira has been established from the Jira Security tile in the StackHawk platform and the security container has been added to the project, any new scans that are run against those applications/envrionments will sent their scan results information to Jira in the form of vulnerabilities. After running a scan, vulnerabilities will be visible on the Security in Jira page.
On the Security in Jira page, security containers are listed at the top of the page. Vulnerabilities are listed in the bottom section and can be sorted by several characteristics such as by security container, severity, vulnerability status and issue status.
Data from HawkScan is represented on this page in the following ways:
- High/medium/low criticality alerts will translate to vulnerability severity
- The name of StackHawk findings from the findings page will be show on in Jira as the vulnerability names, including a count of the number of vulnerable paths
- Scan findings from the most recent scan will be shown as “Open” vulnerabilities.
- When a vulnerability was not found in the latest scan, the vulnerability will be marked as “Closed” in Jira.
- Vulnerabilities with at least one path that has not been triaged will remain open. For vulnerabilities whose paths have all been triaged, the vulnerability status will be set to “Ignored.” Triaged in this context means that the path has been marked with the “False Positive” or “Risk Accepted” triage statuses in the StackHawk platform. See more information on triage statuses.
Creating Jira Issues from Vulnerabilities
From Security in Jira, Jira issues can be created based on the vulnerabilities sent from StackHawk. Under the “Issues” column for each vulnerability is a “Create issue” button. Clicking this issue will open a modal with prefilled information about the vulnerability. This includes a description of the vulnerability with information generated by StackHawk.
Update the Existing Installation
Existing users of the StackHawk for Jira addon must first update the addon to the latest supported version to enable support for the Security operations tab. If an update is available, a button to update the addon to the latest version will be visible from the Apps Management pane.
Removing the Security in Jira Integration
The Security in Jira integration can be disconnected from the StackHawk platform, or from the Security in Jira Integration page.
- Go to the Security in Jira Integration page in StackHawk.
- From your Jira Workspace, go to
Apps > Manage Your Apps > StackHawk for Jira
Have any suggestions, feature requests, or feedback to share? Drop us a line at firstname.lastname@example.org