Jira Integration
DevGuard integrates with Jira to provide vulnerability ticket management in your existing issue tracking workflow.
Overview
The Jira integration provides:
- Issue Creation: Create Jira issues for discovered vulnerabilities — this can happen automatically for dependency vulnerabilities when they exceed a threshold, or manually by users for any vulnerability type
- Issue Updates: Sync vulnerability status changes to Jira
- Webhook Processing: React to issue transitions and comments in real-time
- Bidirectional Sync: Comments in Jira can update vulnerability status in DevGuard
Integration Setup
The Jira integration requires an API token and user email for authentication:
| Field | Description |
|---|---|
URL | Your Jira instance URL (e.g., https://company.atlassian.net) |
Token | Jira API token for authentication |
UserEmail | Email address of the Jira user for the API token |
Name | A friendly name for this integration |
How It Works
- Configure Integration: Add your Jira instance URL, API token, and user email in DevGuard
- Link Asset: Connect a DevGuard asset to a Jira project
- Create Issues: Vulnerabilities can be pushed to Jira as issues (automatically or manually)
- Sync Status: Changes in either system are synchronized via webhooks
Issue Creation
When a vulnerability is flagged for remediation, DevGuard creates a Jira issue containing detailed information about the vulnerability, including severity, affected components, and labels for categorization.
Comment Commands
Users can control vulnerability status through Jira comments:
| Command | Effect |
|---|---|
/accept <reason> | Accept the vulnerability risk |
/component-not-present <reason> | Mark as false positive |
/vulnerable-code-not-present <reason> | Mark as false positive |
/vulnerable-code-not-in-execute-path <reason> | Mark as false positive |
/vulnerable-code-cannot-be-controlled-by-adversary <reason> | Mark as false positive |
/inline-mitigations-already-exist <reason> | Mark as false positive |
/reopen | Reopen a closed vulnerability |
Webhook Processing
DevGuard processes Jira webhooks to synchronize issue state changes.
Processed Events
| Event | Action |
|---|---|
| Issue Closed | Vulnerability marked as accepted |
| Issue Reopened | Vulnerability reopened |
| Comment Added | Process slash commands |
Issue State Synchronization
DevGuard manages Jira issue states through transitions:
| Jira Status Category | DevGuard Interpretation |
|---|---|
| To Do | Open vulnerability |
| In Progress | Open vulnerability |
| Done | Closed vulnerability |
Priority Mapping
DevGuard automatically sets the Jira issue priority based on vulnerability severity:
| Severity | Jira Priority |
|---|---|
| Critical | Highest |
| High | Highest |
| Medium | Default |
| Low | Default |
Testing the Integration
When saving a Jira integration, DevGuard validates:
- API Token: Tests authentication with Jira API
- User Email: Retrieves the Account ID for the provided email
- Connection: Verifies connectivity to the Jira instance
Related Documentation
- Connect Jira — Step-by-step setup guide
- Jira Issue Creation — Configure issue templates
- Jira Status Sync — Understand status synchronization
- Integration Architecture — Overall integration design