As part of uplifting the security baseline for all Marketplace apps, we are launching a new set of security questions for Marketplace partners to complete during the app onboarding and app review processes. Below are the questionnaires for each app type.
Review Criteria:
We expect all apps to adhere to Atlassian app development standards. Refer to the Security Requirements: https://developer.atlassian.com/platform/marketplace/security-requirements
Icon | Description |
---|---|
ℹ️ | Informational: No action needed. Does not block the app from listing on the Marketplace. |
⚠️ | Warning: Indicates a security concern and we will provide a recommendation. Does not block the app from listing on the Marketplace. |
🚫 | Fail: Indicates a security violation that must be addressed. Blocks the app from listing on the Marketplace and the respective app approval/review ticket will be rejected. |
Category | Questions | Review Signal |
---|---|---|
Authentication & Authorization | 1. Does your Forge app functionality include user interactions? (Yes/No) | ℹ️ |
a. If yes, does your app use asUser() method where applicable for actions performed by the user? (Yes/No) | ⚠️ | |
2. Does your app use Forge remote? (Yes/No) | ℹ️ | |
a. If yes, does your remote host validate authentication information from the Forge Invocation Token (FIT)? (Yes/No) | 🚫 | |
b. If yes, does your remote host execute user actions that require user context and appropriately validate whether the user has necessary permissions? (Yes/No/Not Applicable) | 🚫 | |
3. Before invoking calls using asApp() on actions that require user-specific permissions, do you ensure that the user has necessary permissions by calling the permissions REST APIs? (Y/N/Not Applicable) | 🚫 | |
4. Does your Forge app use web triggers? (Yes/No) | ℹ️ | |
a. If yes, do you perform authentication checks on the web trigger when invoking critical functions? (Yes/No) | ⚠️ | |
5. Does your Forge app use display conditions? (Yes/No) | ℹ️ | |
a. If yes, do you rely solely on these conditions and not check user permissions in your code? (Yes/No) | ⚠️ | |
Data Security | 6. Does your Forge app egress data to external hosts? (Yes/No) | ℹ️ |
a. If yes, does the egress domains include *.com or * in the list? (Yes/No) | 🚫 | |
b. If yes, does your egress domain/remote host support TLS versions below 1.2? (Yes/No) | 🚫 | |
c. If yes, do you plan to renew the egress domain as well as its cert when they expire? (Yes/No) | ⚠️ | |
d. If yes, did you implement controls to safeguard customer data stored at rest on the remote host? (Yes/No) | ⚠️ | |
i. If yes, please list all the controls in place. (Open text) | ℹ️ | |
7. Does your Forge app adhere to the principle of least privilege by ensuring that the app's scope is limited to only the permissions necessary for its functionality? (Yes/No) | ⚠️ | |
8. Does your app log sensitive information (such as PII, credentials, access tokens, or API keys) in Forge logs? (Yes/No) | ⚠️ | |
Application Security | 9. Have you implemented controls in the app to validate and sanitize all user inputs in order to mitigate vulnerabilities related to injection attacks? (Yes/No) | ⚠️ |
a. If yes, please explain the input validations implemented on user inputs / URLs if applicable. (Open text) | ℹ️ | |
10. Did you review the app’s 3rd party dependencies for vulnerabilities using automated tools? and, do you plan to keep these dependencies up to date? (Yes/No) | 🚫 | |
Secrets Management | 11. Does your app collect Atlassian user account credentials, such as passwords or API tokens? (Yes/No) | 🚫 |
12. Does your app collect any 3rd party service's credentials or tokens? (Yes/No) | ℹ️ | |
a. If yes, do you store them in Forge storage with encryption? (Yes/No) | ℹ️ | |
i. If not, do you store them externally? (Yes/No) | ℹ️ | |
13. Does your app expose any secrets in plain text in accessible locations like URLs, source code, or code repositories? (Yes/No) | 🚫 | |
Vulnerability Management | 14. Do you perform vulnerability scans and review results? (Yes/No) | ℹ️ |
a. If yes, Please select the type of scans performed: 1. Software composition analysis (SCA) 2. Static application security testing (SAST) 3. Dynamic application security testing (DAST) | ℹ️ | |
15. Have you read our Marketplace Security Bug Fix policy? (Yes/No) | ℹ️ | |
16. Do you plan to notify customers and Atlassian in case of a security incident or a critical vulnerability on your app? (Yes/No) | ℹ️ | |
17. Have you identified a security contact for the app and created an account on ecosystem.atlassian.net? (Yes/No) | ℹ️ |
Category | Questions | Review Signal |
---|---|---|
Authentication & Authorization | 1. Does your app use Connect JWT for authentication? (Yes/No) | ℹ️ |
a. If no, please explain how user actions are authenticated. (Open text) | ⚠️ | |
b. If yes, does your app validate user permissions on all endpoints through permissions REST APIs? (Yes/No) | 🚫 | |
c. If yes, does the app validate incoming JWTs authenticity (including token signature & expiration) on all endpoints? (Yes/No) | 🚫 | |
d. If yes, does your app accept context JWTs on module or lifecycle endpoints? (Yes/No) | ⚠️ | |
2. Does your app validate signed install and uninstall lifecycle hooks? (Yes/No) | 🚫 | |
3. Does your app require ADMIN or ACT_AS_USER roles? (Yes/No) | ℹ️ | |
a. If yes, could you please explain the necessity of these roles for your application? (Open text) | ℹ️ | |
4. Is anonymous access allowed on your app? (Yes/No) | ℹ️ | |
a. If yes, can anonymous users access non-public/UGC data through any of the endpoints? (Yes/No) | 🚫 | |
5. Does your app use webhooks? (Yes/No) | ℹ️ | |
a. If yes, does your app validate the authenticity of the webhook POST request received via JWT tokens in Authorization header? (Yes/No) | ⚠️ | |
6. Does your app use Connect conditions? (Yes/No) | ℹ️ | |
a. If yes, do you rely solely on these conditions and not check user permissions in your code? (Yes/No) | ⚠️ | |
Data Security | 7. Does your app use Entity or App properties to store sensitive information? (Yes/No) | 🚫 |
8. Have you established measures to protect customer data both at rest and in transit on the app's server? (Yes/No) | ⚠️ | |
a. If yes, please provide a detailed list of these controls. (Open text) | ℹ️ | |
9. Are all communications with the app server encrypted over TLS 1.2 or above? (Yes/No) | 🚫 | |
10. Is Connect shared secret encrypted at rest and securely stored? (Yes/No) | ⚠️ | |
a. If yes, please provide a detailed list of controls. (Open text) | ℹ️ | |
11. Does your app adhere to the principle of least privilege by ensuring that the app's scope is limited to only the permissions necessary for its functionality? (Yes/No) | ⚠️ | |
12. Does your app log sensitive information (such as PII, credentials, access tokens, or API keys) in application logs? (Yes/No) | ⚠️ | |
Application Security | 13. Does the app validate and sanitize all user inputs in order to mitigate vulnerabilities related to injection attacks? (Yes/No) | ⚠️ |
a. If yes, please explain the input validations implemented. (Open text) | ℹ️ | |
14. Does your app use template engines? (Yes/No) | ℹ️ | |
a. If yes, have you implemented controls to restrict template engine from executing dangerous functions there by preventing harmful code execution? (Yes/No) | ⚠️ | |
15. Do you own the domain or subdomain on which your app is hosted? (Yes/No) | ℹ️ | |
a. If yes, do you plan to maintain the domain/certificate validity and renew them when they expire? (Yes/No) | ⚠️ | |
16. Did you review the app's 3rd party dependencies for vulnerabilities using automated tools? (Yes/No) | 🚫 | |
17. Did you configure a Content Security Policy (CSP) for your app? (Yes/No) | ℹ️ | |
a. If yes, did you include unsafe-inline or unsafe-eval directives in script-src ? (Yes/No) | ⚠️ | |
Secrets Management | 18. Does your app collect Atlassian account credentials, such as passwords or API tokens? (Yes/No) | 🚫 |
19. Does your app collect any 3rd party service's credentials or tokens? (Yes/No) | ℹ️ | |
a. If yes, please explain the controls implemented to safeguard collected secrets. | ℹ️ | |
20. Does your app expose any secrets in plain text in easily accessible locations like URLs, source code, or code repositories? (Yes/No) | 🚫 | |
Vulnerability Management | 21. Do you perform vulnerability scans and review results? (Yes/No) | ℹ️ |
a. If yes, Please select the type of scans performed: 1. Software composition analysis (SCA) 2. Static application security testing (SAST) 3. Dynamic application security testing (DAST) | ℹ️ | |
22. Have you read our Marketplace Security Bug Fix policy? (Yes/No) | ℹ️ | |
23. Do you plan to notify customers and Atlassian in case of a security incident? (Yes/No) | ℹ️ | |
24. Have you identified a security contact for the app and created an account on ecosystem.atlassian.net? (Yes/No) | ℹ️ |
Category | Questions | Review Signal |
---|---|---|
Data Security | 1. Does your app encrypt and securely store OAuth client secret, access and refresh tokens on the server side? (Yes/No) | 🚫 |
2. Does your app collect Atlassian account credentials, such as passwords or API tokens? (Yes/No) | 🚫 | |
3. Are the app's requested scopes limited to only the permissions necessary for its functionality? (Yes/No) | ⚠️ | |
4. Does your app log direct Personally Identifiable Information (PII) or OAuth tokens, such as client secrets, access tokens, or refresh tokens in application logs? (Yes/No) | ⚠️ | |
5. Did you implement controls to safeguard customer data at rest on the app's server? (Yes/No/Not Applicable) | ⚠️ | |
a. If yes, what is your retention policy for customer data stored on the app's server? (Open text) | ℹ️ | |
6. Does your app encrypt all communications over TLS 1.2 or above? (Yes/No) | 🚫 | |
Application Security | 7. Does your app set a unique state parameter to ensure the integrity of authorization and callback requests? (Yes/No) | 🚫 |
a. If yes, does your app appropriately validate the state parameter to prevent replay attacks? (Yes/No) | 🚫 | |
i. If yes, please explain the validations implemented. (Open text) | ℹ️ | |
Vulnerability Management | 8. Do you perform vulnerability scans and review results? (Yes/No) | ℹ️ |
a. If yes, Please select the type of scans performed: 1. Software composition analysis (SCA) 2. Static application security testing (SAST) 3. Dynamic application security testing (DAST) | ℹ️ | |
9. Have you read our Marketplace Security Bug Fix policy? (Yes/No) | ℹ️ | |
10. Do you plan to notify customers and Atlassian in case of a security incident or a critical vulnerability on your app? (Yes/No) | ℹ️ | |
11. Have you identified a security contact for the app and created an account on ecosystem.atlassian.net? (Yes/No) | ℹ️ |
Category | Questions | Review Signal |
---|---|---|
Data Security | 1. Does your app allow UnrestrictedAccess on any of the endpoints? (Yes/No) | ℹ️ |
a. If yes, does the endpoint perform user actions or respond with dynamic user/app data? (Yes/No) | ⚠️ | |
i. If yes, please provide more details on why this is allowed. (Open text) | 🚫 | |
2. Does this app send user data outside of the host instance? (Yes/No) | ℹ️ | |
a. Do you own or manage this external domain or third-party service to which the app sends data? (Yes/No) | ℹ️ | |
b. Does this data being transferred contain any sensitive data such as PII? (Yes/No) | ℹ️ | |
i. If yes, please provide more details on why this information is egressed and how they are protected. (Open text) | ℹ️ | |
3. Does your app store sensitive data such as user credentials, PII, financial or proprietary information? (Yes/No) | ℹ️ | |
a. If yes, is this information sufficiently protected using access control mechanism that verifies user permissions before allowing access? (Yes/No) | ⚠️ | |
Application Security | 4. Does your app pass request arguments in any way to external processes (e.g. Git)? (Yes/No) | ℹ️ |
a. If yes, is the input properly checked and sanitized to prevent leaking arbitrary data on the file system? (Yes/No) | ⚠️ | |
i. If yes, please provide more details on how it was implemented. (Open text) | ℹ️ | |
5. Does your app block forged requests on all state-changing requests to ensure security against Cross-Site Request Forgery (CSRF) attacks? (Yes/No) | ⚠️ | |
6. Did you review the app's 3rd party/open-source dependencies for vulnerabilities using automated tools? (Yes/No) | 🚫 | |
7. Does the app validate and sanitize all user inputs to mitigate injection attacks like XSS or SQL Injections? (Yes/No) | ⚠️ | |
8. Does the app validate URLs or external resources to prevent unauthorized requests and mitigate Server-Side Request Forgery (SSRF) vulnerabilities? (Yes/No/Not Applicable) | ⚠️ | |
a. If yes, do the outbound requests from your app honor the host product's IP allowlist? (Yes/No) | ⚠️ | |
9. Does your app instantiate its own template engine instead of using the one provided by the product? (Yes/No/Not Applicable) | 🚫 | |
10. Does your app implement serialization and deserialization of objects? (Yes/No/Not Applicable) | ℹ️ | |
a. If yes, does your app ensure that objects are securely deserialized ex: using wrappers and prevent arbitrary deserialization? (Yes/No/Not Applicable) | 🚫 | |
Secrets Management | 11. Does your app collect Atlassian account credentials, such as user passwords or API tokens? (Yes/No) | ℹ️ |
a. If yes, do you egress the credentials to external servers? (Yes/No) | ⚠️ | |
b. If yes, please provide a brief explanation of the reason for egress. (Open text) | 🚫 | |
12. Does your app expose any secrets in plain-text within the app artifact (JAR, OBR) or source code? (Yes/No) | 🚫 | |
Vulnerability Management | 13. Do you perform vulnerability scans and review results? (Yes/No) | ℹ️ |
a. If yes, Please select the type of scans performed: 1. Software composition analysis (SCA) 2. Static application security testing (SAST) 3. Dynamic application security testing (DAST) | ℹ️ | |
14. Have you read our Marketplace Security Bug Fix policy? (Yes/No) | ℹ️ | |
15. Do you plan to notify customers and Atlassian in case of a security incident or a critical vulnerability on your app? (Yes/No) | ℹ️ | |
16. Have you identified a security contact for the app and created an account on ecosystem.atlassian.net? (Yes/No) | ℹ️ |
Rate this page: