Atlassian Security in Jira
StackHawk’s official Security in Jira integration.
Overview
The Security in Jira integration will automatically send HawkScan findings to Jira Projects enabled with Jira Security.
Security in Jira enables existing Jira users to view all the vulnerabilities found by various security tools. StackHawk improved the existing Jira Cloud integration to support sending HawkScan vulnerabilities to the Jira security tab.
This integration works alongside the existing StackHawk Jira Cloud integration, and uses the same Atlassian marketplace addon. Enabling this integration also installs the StackHawk Jira Cloud integration.
Features
- HawkScan findings will automatically be sent as vulnerabilities to the Security tab in Security-enabled Jira Projects.
- Vulnerabilities in Jira can be converted to Jira issues within the Jira user interface, making for easy tracking of security issues alongside other stories and bugs.
Requirements
StackHawk:
- You must have a StackHawk account.
- Your StackHawk Organization must belong to a plan with Security in Jira support enabled. Reach out to support@stackhawk.com to enable it.
- You must be on version 0.3.0 or above of the Security in Jira integration. See here for instructions on upgrading.
Jira:
- You must have login permissions to the Jira workspace you wish to add the integration to.
- You must have sufficient administration permissions to install add-ons to your Jira Cloud workspace.
- You must have the security tab enabled in your Jira project.
NOTE: If you are an existing user of StackHawk’s Jira Cloud integration, your installation of the integration needs to be upgraded in your Jira instance. See the instructions on upgrading your Jira Cloud installation
Scopes
With this integration you authorize StackHawk with the following Jira Cloud scopes:
- Read access to the connected Jira Cloud workspace
- Write access to the connected Jira Cloud workspace
- Delete access to the connected Jira Cloud workspace
Invite Users
For the best experience with the Jira Security integration, we recommend inviting colleagues within your organization to the StackHawk platform.
Enabling the Security Tab
In order to enable the security tab in Jira:
- Navigate to a project.
- Go to Project Settings > Features.
- Under Development and next to Security, there will be a toggle switch. Click this toggle switch to enable Security in Jira.
- After clicking the toggle switch, the security tab should be visible in your Jira Project.
- If StackHawk’s Jira Security integration will be used across multiple projects, then this feature should be enabled in each of those projects.
Installation
Click here to install the StackHawk for Jira Cloud add-on from the Atlassian Marketplace
The StackHawk for Jira App will first need to be installed from the Atlassian marketplace, before it can be connected to a StackHawk organization.
- Log into StackHawk and visit the Jira Cloud Integration page in StackHawk
- Click
Enable Jira
. This will generate the temporary integration token. - Click the
View In Marketplace
button. This will open a new tab to add the StackHawk add-on from the Atlassian Marketplace. - In the new tab, click
Install
to add the app in your Jira Cloud workspace and go through installation process. Once completed, you can pressGet Started
to authorize the add-on with your Jira Cloud workspace.
Additionally, the app can be installed through the security tab. To install from the security tab:
- Navigate to a Jira project.
- Click the security tab in your project.
Only a single Jira Security integration needs to be installed for each StackHawk organization. Installation of the integration connects one StackHawk organization and one Jira instance, but allows for sending vulnerabilities to multiple Jira projects within that instance.
Token Authorization
Once the StackHawk add-on has been installed in Jira Cloud, a one-time integration token from StackHawk needs to be copied into Jira Cloud to connect the Jira Cloud Workspace with your StackHawk organization.
- After installing the app from the Marketplace, go to the Jira page in StackHawk.
- Copy the UUID integration token. Note: this key is time-sensitive, and will expire after one hour.
- In Jira Cloud, go to
Apps > Manage Your Apps > StackHawk for Jira > Get Started
. - Paste the integration token into the
StackHawk Integration Token
field. - If successful, your Jira Cloud workspace will now be connected to your StackHawk organization, and the integration completed.
Verify Installation
You can verify the Jira Cloud App installation at any time after configuring a integration token.
- Go to the Jira Security page in StackHawk.
- You should see a
Connected to: <your workspace URL>
, which indicates the integration has been linked to that Jira Cloud Workspace.
Configuration
The applications and environments which will send their vulnerabilities to Jira are configured from the StackHawk platform. This setup is a manual step to ensure that users have control over their vulnerabilities data and that vulnerability data isn’t being sent without user knowledge.
To configure the integration:
- Navigate to the integration page on the StackHawk platform, then the Jira Security tile.
- Click the “Add Connection” button, which will bring up the Add Connection modal
- In the modal, select the applications and specific environments whose scan results should be sent to a project’s security tab. If you would like all scan data in this organization to be sent to Jira, then select “All Applications” and “All Environments.”
- Finish by clicking the “Continue” button. The configured applications and environments should now start sending their data to Jira.
Adding Security Containers to Projects
In order to associate the scan results from applications and environments to the security tab of specific projects, those applications/environments must be added as security containers to those projects. To do this:
- On a project page, navigate to the Project Settings > Toolchain.
- Click “View all tools” if it is not already selected by default.
- If a section for “StackHawk for Jira” does not appear here, then it may be necessary to add it to the toolchain page. This can be done by clicking the “Add” button in the top-left corner and clicking “Add security container.” A modal will appear with an option to add “StackHawk for Jira” to the toolchain.
- Once the “StackHawk for Jira” section is visible, click the plus(+) icon which will open the Add Container modal.
- Select a container in the dropdown and click “Add container”
- The container will then be added to the project, making any vulnerabilities sent for that application and environment visible on the project’s security tab.
Vulnerabilities in Jira
After a connection between the application/environment and Jira has been established from the Jira Security tile in the StackHawk platform and the security container has been added to the project, any new scans that are run against those applications/envrionments will sent their scan results information to Jira in the form of vulnerabilities. After running a scan, vulnerabilities will be visible on the Security in Jira page.
On the Security in Jira page, security containers are listed at the top of the page. Vulnerabilities are listed in the bottom section and can be sorted by several characteristics such as by security container, severity, vulnerability status and issue status.
Data from HawkScan is represented on this page in the following ways:
- High/medium/low criticality alerts will translate to vulnerability severity
- The name of StackHawk findings from the findings page will be show on in Jira as the vulnerability names, including a count of the number of vulnerable paths
- Scan findings from the most recent scan will be shown as “Open” vulnerabilities.
- When a vulnerability was not found in the latest scan, the vulnerability will be marked as “Closed” in Jira.
- Vulnerabilities with at least one path that has not been triaged will remain open. For vulnerabilities whose paths have all been triaged, the vulnerability status will be set to “Ignored.” Triaged in this context means that the path has been marked with the “False Positive” or “Risk Accepted” triage statuses in the StackHawk platform. See more information on triage statuses.
Creating Jira Issues from Vulnerabilities
From Security in Jira, Jira issues can be created based on the vulnerabilities sent from StackHawk. Under the “Issues” column for each vulnerability is a “Create issue” button. Clicking this issue will open a modal with prefilled information about the vulnerability. This includes a description of the vulnerability with information generated by StackHawk.
Linking Jira Issues from the Security Tab
Jira issues created from the security tab in Jira can now be linked back to findings in the StackHawk platform. The creation of Jira issues from the security tab will automatically associate between the issue created for a vulnerability and the paths of the corresponding scan finding on the StackHawk side. The paths under the finding will be tagged with a Jira issue key and a link to the Jira issue.
Finding paths that have associated Jira issues will be considered triaged and will have the status of “Assigned.” Finding paths that have been triaged previously with another status such as “False Positive” or “Risk Accepted” will keep their existing statuses. If an issue is unlinked from a vulnerability on the security tab, this will result in the disassociation between the issue and any linked finding paths on the StackHawk side. Those finding paths will move back to an untriaged status (“New”).
To enable this linking/unlinking functionality, it is necessary to upgrade the installed version of the integration to 0.3.0 or higher. See here for the instructions on upgrading the Jira integration.
Update the Existing Installation
Existing users of the StackHawk for Jira addon must first update the addon to the latest supported version to enable support for the Security operations tab. If an update is available, a button to update the addon to the latest version will be visible from the Apps Management pane.
Removing the Security in Jira Integration
The Security in Jira integration can be disconnected from the StackHawk platform, or from the Security in Jira Integration page.
- Go to the Security in Jira Integration page in StackHawk.
- Click
Remove Integration
- From your Jira Workspace, go to
Apps > Manage Your Apps > StackHawk for Jira
- Click
Uninstall
Feedback
Have any suggestions, feature requests, or feedback to share? Drop us a line at support@stackhawk.com