Jira
Protect your Jira content. Real-time, blazing fast scanning of Jira issues content, including summary, description, comments and even attachments!
Setup
Since Spectral never keeps your secrets and content, we provide an AWS lambda function that you deploy in your organization's AWS account.
Required permissions in AWS:
cloudformation:DescribeStacks
iam:CreateRole
iam:DeleteRole
apigateway:POST
logs:CreateLogGroup
iam:PutRolePolicy
In addition, you'll add a Jira webhook to send relevant events to this lambda.
Integration Environment Variables
| Variable | Required | Description |
|---|---|---|
| SPECTRAL_DSN | Yes | Your Spectral DSN retrieved from SpectralOps |
| JIRA_WEBHOOK_TOKEN | Yes | A token used to identify the sender, should be identical to the webhook token sent in the webhook_token param to the webhook endpoint |
| No | The email matching the jira api token. If this is not provided, attachments will not be scanned | |
| SPECTRAL_TAGS | No | Tags list to run Spectral with, separated by commas (eg base,iac,audit). Default is 'base' |
| REDACTED_MESSAGE | No | In case of active remediation - a custom message to replace findings |
| REMEDIATION_MODE | No | How to handle findings (Valid values: "Not active" / "Redact finding") |
| JIRA_API_TOKEN | No | A Jira api token to scan attachments as well. If this is not provided, attachments will not be scanned |
| JIRA_PROJECTS_BLACKLIST | No | A comma delimited list of project keys that you want to exclude from being scanned |
| JIRA_PROJECTS_WHITELIST | No | A comma delimited list of project keys that you want to scan. No other projects except these will be scanned |
Deploy the Lambda
Deploy using one of the following methods:
CloudFormation
Terraform
Deploy AWS resources using our Terraform module (set the integration_type param value to jira).
After recources has been deployed grab the function gateway api URL, we'll use it next.
Add Jira Webhook
Go to your Jira instance and add a new webhook in System Settings -> Webhooks (https://YOUR_ORG_NAME.atlassian.net/plugins/servlet/webhooks) to send events to the function.
Mark the following events for the webhook to send: (1) issue->create+update (2) comment->create+update (3) attachment-> create
The webhook url should be the lambda url you grabbed from AWS. Make sure to copy the full url and a query string param for the webhook secret you entered when installing the lambda, like so: https://random1.execute-api.us-east-1.amazonaws.com/prod/api/jira_event?webhook_token=[YOUR WEBHOOK SECRET]
That's it 💪
Your Jira content should now be monitored by Spectral.
Give it a spin
To verify everything works you can open a Jira issue with a (fake) secret (like AKIA4HK52OLF2AAN9KWV) and watch the status change in the next section.
Updated almost 2 years ago