The devops:securityInfoProvider module allows Forge apps to send security information (such as vulnerabilities and security containers) to Jira and associate it with an issue.

Supplied security information will be presented in the development panel of the issue it is associated with.

Security information is written and deleted via the Jira Software REST API which can be accessed by Forge apps using the requestJira function.

When a user uninstalls an app, all the data that the app sent to Jira is deleted. If the app is reinstalled, this data won't be added back unless the app resends historical information to Jira.

Example

1
2
modules:
  devops:securityInfoProvider:
    - key: my-security-info-provider
      name:
        value: My Security Info Provider
      homeUrl: https://www.my-security-info.com
      logoUrl: https://www.my-security-info.com/logo.svg
      documentationUrl: https://www.my-security-info.com/help
      fetchWorkspaces:
        endpoint: fetchWorkspacesEndpoint
      fetchContainers:
        endpoint: fetchContainersEndpoint
      searchContainers:
        endpoint: searchContainersEndpoint
      onEntityAssociated:
        endpoint: onEntityAssociatedEndpoint
      onEntityDisassociated:
        endpoint: onEntityDisassociatedEndpoint

Properties

Property	Type	Required	Description
key	string	Yes	A key to identify this module.
name	object	Yes	A human readable name.
name.value	string	Yes	Min length: 1 Max length: 255
homeUrl	string	Yes	URL to the provider's homepage. Min length: 1 Max length: 255 Regex: `^(http\|https):\/\/.*$`
logoUrl	string	No	The logo for the provider, will be displayed in an area 16 by 16 pixels. Min length: 1 Max length: 255 Regex: `^(([^:/?#]+):)?(//([^/?#]))?([^?#])(\\\\?([^#]))?(#(.))?`
documentationUrl	string	No	Optional URL to documentation about the provider's Jira integration. Min length: 1 Max length: 255 Regex: `^(http\|https):\/\/.*$`
fetchWorkspaces	Action	Yes	Action invoked by Jira to fetch the list of workspaces available to the user from this security information provider. Example request 1 2 `{ "ids": [ "111-222-333", "444-555-666" ] }` Example response 1 2 { "workspaces": [ { // Identifier of the security workspace which will be used to hydrate workspace details id: "f730ce9c-3442-4f8a-93a4-a44f3b35c46b" // Human readable name of the workspace name: "economy-security-scanning", // Url allowing Jira to link directly to the provider's workspace url: "https://my.security.provider.com/org/f730ce9c-3442-4f8a-93a4-a44f3b35c46b" // Url providing the avatar for the workspace. avatarUrl: "https://res.cloudinary.com/snyk/image/upload/v1584038122/groups/Atlassian_Logo.png" } ] }
fetchContainers	Action	Yes	Action invoked by Jira to fetch the list of security containers within a workspace. Example request 1 2 `{ "ids": [ "f730ce9c-3442-4f8a-93a4-a44f3b35c46b/target/111-222-333" ] }` Example response 1 2 { "containers": [ { // Identifier of the security container which will be used to hydrate container details. This should be in this regex format: [a-zA-Z0-9\\-_.~@:{}=]+(/[a-zA-Z0-9\\-_.~@:{}=]+)*. id: "f730ce9c-3442-4f8a-93a4-a44f3b35c46b/target/111-222-333", // Human readable name of the container name: "my-container-name", // Url allowing Jira to link directly to the provider's container url: "https://my.security.provider.com/f730ce9c-3442-4f8a-93a4-a44f3b35c46b/container/f730ce9c-3442-4f8a-93a4-a44f3b35c46b", // Url providing the avatar for the container. avatarUrl: "https://res.cloudinary.com/snyk/image/upload/v1584038122/groups/Atlassian_Logo.png", // The date and time this container was last scanned/updated lastUpdatedDate: "2022-01-19T23:27:25+00:00" } ] }
searchContainers	Action	Yes	Action invoked by Jira to search for security containers matching a query. Example request 1 2 `{ "cloudId": "f730ce9c-3442-4f8a-93a4-a44f3b35c46b", "workspaceId": "111-222-333", "searchQuery": "" }` Example response 1 2 { "containers": [ { // Identifier of the security container which will be used to hydrate container details. This should be in this regex format: [a-zA-Z0-9\\-_.~@:{}=]+(/[a-zA-Z0-9\\-_.~@:{}=]+)*. id: "f730ce9c-3442-4f8a-93a4-a44f3b35c46b/target/111-222-333", // Human readable name of the container name: "my-container-name", // Url allowing Jira to link directly to the provider's container url: "https://my.security.provider.com/f730ce9c-3442-4f8a-93a4-a44f3b35c46b/container/f730ce9c-3442-4f8a-93a4-a44f3b35c46b", // Url providing the avatar for the container. avatarUrl: "https://res.cloudinary.com/snyk/image/upload/v1584038122/groups/Atlassian_Logo.png", // The date and time this container was last scanned/updated lastUpdatedDate: "2022-01-19T23:27:25+00:00" } ] }
onEntityAssociated	Action	No	Action invoked by Jira when a security container is associated with a Jira entity (such as an issue or project). Example request 1 2 { "entity": { // This is vulnerability Atlassian Resource Identifier (ARI). This should be in format: ari:cloud:jira:{siteId}:vulnerability/activation/{activationId}/{vulnerabilityId} "ari": "ari:cloud:jira:f730ce9c-3442-4f8a-93a4-a44f3b35c46b:vulnerability/activation/111-222-333/111111", // This is vulnerability identifier provided by the provider "id": "1234" }, "associatedWith": { // This is jira issue Atlassian Type Identifier (ATI) "ati": "ati:cloud:jira:issue", // This is jira issue Atlassian Resource Identifier (ARI) that gets associated with the vulnerability. This should be in format: ari:cloud:jira:{siteId}:issue/{issueId} "ari": "ari:cloud:jira:f730ce9c-3442-4f8a-93a4-a44f3b35c46b:issue/1234", // This is the siteId "cloudId": "f730ce9c-3442-4f8a-93a4-a44f3b35c46b", // This is jira issue identifier "id": "1234" } }
onEntityDisassociated	Action	No	Action invoked by Jira when a security container is disassociated from a Jira entity. Example request 1 2 { "entity": { // This is vulnerability Atlassian Resource Identifier (ARI). This should be in format: ari:cloud:jira:{siteId}:vulnerability/activation/{activationId}/{vulnerabilityId} "ari": "ari:cloud:jira:f730ce9c-3442-4f8a-93a4-a44f3b35c46b:vulnerability/activation/111-222-333/111111", // This is vulnerability identifier provided by the provider "id": "1234" }, "disassociatedFrom": { // This is jira issue Atlassian Type Identifier (ATI) "ati": "ati:cloud:jira:issue", // This is jira issue Atlassian Resource Identifier (ARI) that gets disassociated from the vulnerability. This should be in format: ari:cloud:jira:{siteId}:issue/{issueId} "ari": "ari:cloud:jira:f730ce9c-3442-4f8a-93a4-a44f3b35c46b:issue/1234", // This is the siteId "cloudId": "f730ce9c-3442-4f8a-93a4-a44f3b35c46b", // This is jira issue identifier "id": "1234" } }

Action

Property	Type	Required	Description
endpoint	string	Yes	The key of an endpoint module that points to a Forge remote. Jira invokes this endpoint when the action is triggered.