Rate this page:
The Ecoscanner platform is a platform used for performing security checks against all Marketplace cloud apps on an ongoing basis. This will help us continuously monitor our Marketplace cloud apps for common security vulnerabilities and improve the overall security posture of our ecosystem.
We are focusing on Atlassian Connect app scanning first. Our goal is to slowly expand our scanning capabilities over the coming year. We will share these rollout dates as and when we have more clarity but for the immediate future, below are some rough dates of what to expect:
All scanning activity originating from Ecoscanner is supposed to be non-intrusive and very basic so Atlassian will continue to scan the production environment of cloud apps for now. If this changes in the future, we will communicate accordingly.
All scan traffic should originate from the below listed IPs
1 2 3 4 5 6
220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206
Generally speaking, the more links in your descriptor, the more traffic you will receive. The traffic is very “bursty”. But, some approximate numbers are below:
Initial validation – Max 2 requests
Descriptor scan – Max 6 requests per link
TLS scan – No noticeable traffic at the app-level
As and when we introduce additional scanners, we will follow up with a CDAC post and also update this page. We will treat open sourcing on a case by case basis.
Yes, absolutely. We would totally love this. You come up with scanners and let us deal with figuring out how to run them at scale against all apps. Please feel free to create a request in ESSD describing the scanner and instructions on how to run it.
We will keep the scanner sections above updated with their scanning cadence
We will communicate the vulnerability reporting/notification once we have more information.
As of now, we are not planning to scan server and DC apps. This might change in the future as the Ecoscanner platform becomes more mature.
Apps CANNOT opt out of scanning at this time.
We hope this never happens since the scanning is going to be non-intrusive (unless otherwise mentioned). In the odd case when it does end up breaking your app and you want us to look into it, please go ahead and create a request on ESSD.
During our staged rollout, not all apps will be scanned. Once we have fully rolled out EcoScanner, every marketplace app will be scanned on a regular cadence as listed above. If you feel like your app is not being scanned, you are welcome to open a ticket with us to confirm at ESSD.
We understand it is not practically possible to scan for all the requirements (because of the subjective nature of them that is different for different apps) but there are a handful of requirements that we can scan for. We will NOT be reporting any security vulnerabilities right now. We are going to continuously monitor the platform for any improvements and fine tune it, if necessary. Once we are confident about the quality of findings, we will then begin reporting them as vulnerabilities. More information on this to come at a later date.
Rate this page: