Protect your Jira content. Real-time, blazing fast scanning of Jira issues content, including summary, description, comments and even attachments!

Setup

Since Spectral never keeps your secrets and content, we provide an AWS lambda function that you deploy in your organization's AWS account.
Required permissions in AWS:

cloudformation:DescribeStacks
iam:CreateRole
iam:DeleteRole
apigateway:POST
logs:CreateLogGroup
iam:PutRolePolicy

In addition, you'll add a Jira webhook to send relevant events to this lambda.

Integration Environment Variables

VariableRequiredDescription
SPECTRAL_DSNYesYour Spectral DSN retrieved from SpectralOps
JIRA_WEBHOOK_TOKENYesA token used to identify the sender, should be identical to the webhook token sent in the webhook_token param to the webhook endpoint
EMAILNoThe email matching the jira api token. If this is not provided, attachments will not be scanned
SPECTRAL_TAGSNoTags list to run Spectral with, separated by commas (eg base,iac,audit). Default is 'base'
REDACTED_MESSAGENoIn case of active remediation - a custom message to replace findings
REMEDIATION_MODENoHow to handle findings (Valid values: "Not active" / "Redact finding")
JIRA_API_TOKENNoA Jira api token to scan attachments as well. If this is not provided, attachments will not be scanned
JIRA_PROJECTS_BLACKLISTNoA comma delimited list of project keys that you want to exclude from being scanned
JIRA_PROJECTS_WHITELISTNoA comma delimited list of project keys that you want to scan. No other projects except these will be scanned

Deploy the Lambda

Deploy using one of the following methods:

CloudFormation

Launch stack

Terraform

Deploy AWS resources using our Terraform module (set the integration_type param value to jira).

After recources has been deployed grab the function gateway api URL, we'll use it next.

Add Jira Webhook

Go to your Jira instance and add a new webhook in System Settings -> Webhooks (https://YOUR_ORG_NAME.atlassian.net/plugins/servlet/webhooks) to send events to the function.

Mark the following events for the webhook to send: (1) issue->create+update (2) comment->create+update (3) attachment-> create

The webhook url should be the lambda url you grabbed from AWS. Make sure to copy the full url and a query string param for the webhook secret you entered when installing the lambda, like so: https://random1.execute-api.us-east-1.amazonaws.com/prod/api/jira_event?webhook_token=[YOUR WEBHOOK SECRET]

That's it πŸ’ͺ

Your Jira content should now be monitored by Spectral.

Give it a spin

To verify everything works you can open a Jira issue with a (fake) secret (like AKIA4HK52OLF2AAN9KWV) and watch the status change in the next section.