Protect your Jira content. Real-time, blazing fast scanning of Jira issues content, including summary, description, comments and even attachments!
Since Spectral never keeps your secrets and content, we provide an AWS lambda function that you deploy in your organization's AWS account.
Required permissions in AWS:
cloudformation:DescribeStacks iam:CreateRole iam:DeleteRole apigateway:POST logs:CreateLogGroup iam:PutRolePolicy
In addition, you'll add a Jira webhook to send relevant events to this lambda.
|SPECTRAL_DSN||Yes||Your Spectral DSN retrieved from SpectralOps|
|JIRA_WEBHOOK_TOKEN||Yes||A token used to identify the sender, should be identical to the webhook token sent in the webhook_token param to the webhook endpoint|
|No||The email matching the jira api token. If this is not provided, attachments will not be scanned|
|SPECTRAL_TAGS||No||Tags list to run Spectral with, separated by commas (eg base,iac,audit). Default is 'base'|
|REDACTED_MESSAGE||No||In case of active remediation - a custom message to replace findings|
|REMEDIATION_MODE||No||How to handle findings (Valid values: "Not active" / "Redact finding")|
|JIRA_API_TOKEN||No||A Jira api token to scan attachments as well. If this is not provided, attachments will not be scanned|
|JIRA_PROJECTS_BLACKLIST||No||A comma delimited list of project keys that you want to exclude from being scanned|
|JIRA_PROJECTS_WHITELIST||No||A comma delimited list of project keys that you want to scan. No other projects except these will be scanned|
Deploy using one of the following methods:
Deploy AWS resources using our Terraform module (set the
integration_type param value to
After recources has been deployed grab the function gateway api URL, we'll use it next.
Go to your Jira instance and add a new webhook in System Settings -> Webhooks (
https://YOUR_ORG_NAME.atlassian.net/plugins/servlet/webhooks) to send events to the function.
Mark the following events for the webhook to send: (1) issue->create+update (2) comment->create+update (3) attachment-> create
The webhook url should be the lambda url you grabbed from AWS. Make sure to copy the full url and a query string param for the webhook secret you entered when installing the lambda, like so:
https://random1.execute-api.us-east-1.amazonaws.com/prod/api/jira_event?webhook_token=[YOUR WEBHOOK SECRET]
Your Jira content should now be monitored by Spectral.
To verify everything works you can open a Jira issue with a (fake) secret (like
AKIA4HK52OLF2AAN9KWV) and watch the status change in the next section.
Updated 10 months ago