Security Scans on Atlassian Data Center App builds prior to releasing them to the Atlassian Marketplace

Security scans are a critical security gate for Data Center (DC) apps prior to them being listed on the Atlassian Marketplace. The primary objective is to ensure that all apps are free from Critical severity vulnerabilities before they are made available to customers. This process is designed to protect Atlassian customers, maintain trust in the ecosystem, and reduce the risk posed by insecure or malicious plugins.

Scanners Used During Onboarding

During the onboarding (app listing) phase Atlassian is implementing a set of Security Scanners to scan all new, major, minor and patch versions uploaded to the Atlassian Marketplace:

• Software Composition Analysis (SCA) Scanner: Detects vulnerabilities in first-party and third-party dependencies using an up-to-date vulnerability database
• Secret Scanner: Detects hardcoded secrets (e.g., API keys, credentials) in the codebase
• Malware Scanner: Detects malware in app binaries

Vulnerability Management of Findings identified via Onboarding scans

Findings are filed as tickets in the Atlassian Marketplace Security (AMS) project, categorized by scanner type and severity. In addition to this, the field App Version Visibility will be set to Unpublished for findings arising from onboarding scans. As the app has not been published to the marketplace yet, these tickets are not subject to the resolution timeframes.

Malware Response Workflow

If malware is detected, onboarding is blocked. Then following steps are followed in sequence: triage, customer impact analysis and partner notification. Apps may be delisted, and customers/partners are informed with Atlassian’s investigation results.

FAQ

How will we get notified about the scan results?

When the scanner detects findings in the app, Atlassian will file AMS (Atlassian Marketplace Security) tickets with the field App Version Visibility set to Unpublished. Please see the Vulnerability Tickets section above. Note: Service-level objectives (SLOs) do not apply until the app is published to the Marketplace.

How do I proceed in case my app is blocked by the onboarding scanner?

We only block listing in case we find a Critical vulnerability in your app. An AMS ticket will be filed and the scan results will be posted on the onboarding ticket. In case you haven’t received any communication, please submit a request for support on our service desk.

I am only releasing an update to an existing app on the Atlassian Marketplace, do I still need to go through this process?

Yes, every new version uploaded to the Atlassian Marketplace, including every new, major, minor and patch version, will be evaluated via pre-release scans.

The finding is a false positive, and I need someone to take a look at the same so I may be unblocked

Please comment on the finding, or submit a request for support on our service desk for our SMEs to take a look, so we can resolve your query at the earliest.

Can apps opt out of onboarding scans?

Apps cannot opt out at this time.

How do I get in touch or contact Atlassian if Onboarding scans somehow disrupt app functionality? How do I get support?

Onboarding scans are designed to be non-intrusive (unless otherwise mentioned). In the event the scanning somehow disrupts app functionality, please submit a request for support on our service desk.