AppCheck supports integration with Jira Cloud instances using version 2 of their REST API.
Integration with on-premises Jira instances may be possible but it is not officially supported.
Prerequisites
- You must have purchased Jira integration with AppCheck.
- You must be an admin user in AppCheck to access organisation settings.
- You must have permission to create and edit issues in the chosen board in Jira.
- You must have permission to perform workflow transitions if required.
- Jira integration must be configured at the organisation level before it can be configured for individual scans.
Accessing Integration Settings
After purchasing our Jira integration you will see Jira listed as an option in the Integrations area of the AppCheck portal:
You will need to be an administrator in AppCheck to access the Integrations screen. If the Jira option is still missing for you please raise a ticket with AppCheck Support.
You must create one or more Jira integration profiles before you are able to configure it for individual scans.
Configuration
- Configure one or more Jira integration profiles in AppCheck
- Configure Jira
- Test
- Configure one or more AppCheck scans to use your Jira profile
Configure one or more Jira integration profiles in AppCheck
In the Integrations screen in AppCheck, click Jira and create a new profile.
Configure the following information in your profile:
Basic Settings
| Setting | Description |
|---|---|
| Incoming webhook base URL | https://scanner.appcheck-ng.com/ |
| Webhook token | Unique secret token used in webhook URLs. This is provided in the integrations settings. Keep this token safe. |
| User email address | Recommended to use a dedicated Jira user for webhooks. |
| User password | The user’s API token. |
| Jira Instance URL | URL to your Jira instance. |
| Jira Project Key | Project key for your Jira board. |
| Default Jira Issue Type | Typically "Task". Template for creating issues. |
Vulnerabilities to send
In this section you can specify the Vulnerabilities to send to Jira based on their impact; eg if you select High and Critical then vulnerabilities with a High or Critical impact will be sent.
Advanced Settings
| Setting | Description |
|---|---|
| Jira "Fixed" state ID | ID for AppCheck’s Fixed status. |
| Jira "Acceptable Risk" state ID | ID for AppCheck’s Acceptable Risk status. |
| Jira "False Positive" state ID | ID for AppCheck’s False Positive status. |
| Jira "Unfixed" state ID | ID for AppCheck’s Unfixed status. |
| Jira High Priority ID | ID for High CVSS vulnerabilities. |
| Jira Medium Priority ID | ID for Medium CVSS vulnerabilities. |
| Jira Low Priority ID | ID for Low CVSS vulnerabilities. |
Configure Jira
Configure your Jira instance with the following information:
Webhooks
You will requires Jira admin privileges to configure webhooks.
- Webhooks must fire only for issues managed by AppCheck.
- Configure webhooks in Jira System Settings.
Issue Webhook
URL: https://scanner.appcheck-ng.com/integration/jira/<webhook-token>/vuln/update/{issue.id}
| JQL | project = appcheck-jira |
|---|---|
| Events | issue:updated |
Comment Webhook
URL: https://scanner.appcheck-ng.com/integration/jira/<webhook-token>/vuln/note/{comment.id}
| JQL | project = appcheck-jira |
|---|---|
| Events | comment:updated |
Create events are ignored as AppCheck creates the issues. Delete events are ignored as AppCheck does not handle deletions.
Workflow Constraints
- At least 2 transitions should exist (ideally 4 for each AppCheck status, unfixed/fixed/false positive/acceptable risk).
- Issues should be able to move between any statuses (needed for redetection handling).
Jira Board Requirements
- Issues must have the following fields: summary, description, labels, priority.
- Issue tracking must be enabled.
- At least 1 priority (ideally 3: low, medium, high).
Test
Once your AppCheck Jira profile is configured, and your Jira instance is configured, click Test in your AppCheck Jira profile to confirm everything is working.
Configure one or more AppCheck scans to use your Jira profile
In the integrations section of your scan configurations you can now select one of more Jira integration profiles to be used for that scan.
No vulnerabilities will be sent to Jira by a scan which does not have a profile selected.
Multiple profiles can be attached to a single scan; however, a vulnerability will only be linked to a single profile. For example, attaching two profiles with only High and only Medium enabled would cause no conflicts; attaching two profiles both with High enabled will mean the vulnerability only gets linked to the first profile in the list.
This behaviour is also the same across scans - if the same vulnerability appears in two different scans, with two conflicting profiles, whichever profile the vulnerability was linked to first will be used for future updates (regardless of the scan causing the update)
Advanced Information
Customising Jira IDs
If the defaults are interfering with Jira workflows it is recommended to update the defaults with your own values to make a 1-to-1 mapping of AppCheck statuses to Jira statuses/priorities.
Finding Jira IDs
Finding Priority IDs
- Navigate to:
https://[Your Jira instance root URL]/rest/api/2/priority - For each priority (High, Medium, Low), locate the desired Jira priority and record its "id" field.
Finding Status IDs
- Find the issue ID for an issue in the correct project. If needed, use the "Export XML" option in Jira to find the key.
- Navigate to:
https://[Your Jira instance root URL]/rest/api/2/issue/[issue-ID]/transitions - Find the status name and corresponding "id" for each AppCheck status: Fixed, Acceptable Risk, False Positive, Unfixed.
- Add these IDs to the AppCheck integration settings.
General Notes
- AppCheck uses Jira Issue ID (numeric), not the issue key (e.g. APCK-12).
- Moving an issue to another board does not affect the integration.
- AppCheck does not support delete operations.
- Deleted vulnerabilities in AppCheck do not affect Jira issues.
- Deleted Jira issues may be recreated by AppCheck on the next update.
Comments
0 comments
Article is closed for comments.