Articles in this section

See more

AppCheck-JIRA Integration - Syncing Vulnerabilities with JIRA Issues

Avatar
Antony Semonella
  • Updated
Follow

Note: You will need to raise a ticket with AppCheck Support to have them send you a Webhook Token to enable the integration.  It is recommended you raise this request before beginning the setup process to minimize your time waiting for a response.

AppCheck integrates with JIRA cloud instances using version 2 of their API.

To set up integration with your JIRA instance, AppCheck Support will need to be provided the following:

 

Features

  • AppCheck creates JIRA issues for discovered vulnerabilities.

  • An AppCheck vulnerability syncs to a JIRA issue:

    • A unique JIRA comment is created to correspond with a vulnerabilities workflow note. Updating this comment updates the vulnerability note and vice-versa.

      The following AppCheck vulnerability statuses map to Jira's "Done" status:

      • Fixed

      • False Positive

      • Acceptable Risk

      AppCheck's unfixed status maps to Jira's "ToDo" or "Open" status.

    • An AppCheck vulnerability status change can update a JIRA issue status and vice-versa

It is assumed that the following steps are performed by a user with system administration privileges.

As there is the potential for a great number of issues to be created from a single scan it is advisable, from an organizational point of view, to create a separate JIRA project for AppCheck.

AppCheck has been tested with JIRA's Basic software development template (in later versions of JIRA this template is now known as Bug Tracking) and we recommend this is the one to use when creating a JIRA project for AppCheck.

Note: It is also important that JIRA's default priorities are present as AppCheck will reference these by their ID.

 

Setup Process

  1. Create a JIRA Project
  2. Configure JIRA WebHooks
  3. Create an AppCheck user in JIRA
  4. Create an API Token
  5. Provide AppCheck Support With Your JIRA Details
  6. Configure a Scan To Send Vulnerabilites to JIRA
  7. Test

Create a JIRA Project

create_project.jpg

 

It is recommended to use the default issue types and work-flow statuses provided by the Basic Software Development or Bug Tracking templates.

You can customize the project details as you see fit, in this example we use the following:

  • Name: AppCheck
  • Key: AP
  • Project lead: <leave as default>

project_details.jpg

 

Configure JIRA WebHooks

Navigate to: JIRA administration console > System > Webhooks (in the Advanced section).

2 WebHooks are required.  To create the webhooks you will need the webhook token supplied by AppCheck Support.

Issues Webhook

Select Create a WebHook to create our first WebHook for AppCheck and use the following details:

  • Name: AppCheck Issue Update WebHook
  • URL: https://scanner.appcheck-ng.com/integration/jira/<webhooktoken>/vuln/update/${issue.id}
  • Events > Issue: Check the 'updated' checkbox
  • JQL Query: project = <Name of Project, eg AppCheck>

webhook_issue_update.png

Then save/create the WebHook.

Comments Webhook

For the second WebHook select 'Create WebHook' again and use the following details:

  • Name: AppCheck Comment Update WebHook
  • URL: https://scanner.appcheck-ng.com/integration/jira/<webhooktoken>/vuln/note/${comment.id}
  • Events >Comment: Check the 'updated' checkbox
  • JQL Query: project = <Name of Project, eg AppCheck>

webhook_comment_update.png

Then save/create the WebHook.

Create an AppCheck user in JIRA

It is recommended to create a separate user for AppCheck in JIRA. The user will need permissions to create and modify JIRA issues.

Create an API Token

See https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/

Provide AppCheck Support With Your JIRA Details

AppCheck Support will need the following information to configure your JIRA integration on their side:

Item Notes
JIRA Instance URL

Should be just the scheme and FQDN, not the path

Example: https://example.atlassian.net/
Username

The value for this is the email address for the associated username

Example: my-user@example.com
API Token

Needs to be a token generated as per https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/

Example: C0RR3CTH0RS3B4TT3RYST4PL39MESAFEUHAFR0DHAaVXT44819MESAFEUHAFR0DHAaVXT44819MESAFEUHAFR0DHAaVXT4481
Issue type Example: Bug
JIRA Project Key

This will usually be a shortened version of the project name, but you can choose this when creating the project.

Example: APCK

You can use the same ticket you've opened with AppCheck Support to request your webook token from them.

Configure a Scan To Send Vulnerabilites to JIRA

Each scan definition has an option to determine whether a vulnerability is sent to JIRA based upon its severity type i.e. High, Medium, Low.

By default a scan definition sets these values to false, effectively instructing the scanner NOT to send any vulnerabilities to JIRA.

To change this, edit a scan definition and look for Integration Settings > JIRA

 

scan_def_options.jpg

Test

With setup complete you are ready to run a scan and observe the results in JIRA.  If you have any problems ensure your settings are as described above; if they are but something is not working as expected please raise a ticket with AppCheck Support: https://appcheck-ng.com/get-help/contact-support/

Note: When AppCheck opens a JIRA issue a comment is created that syncs to the vulnerability's workflow note in AppCheck. The comment includes the following header text:

AppCheck NG workflow note

It is important not to remove this header - if you do the comment will not sync with AppCheck on update.

issue_comment.jpg

Related articles

Comments

0 comments

Article is closed for comments.