As part of our recent publication of the Security Requirements for Data Center apps, which requires developers to perform Secret Scans, and our ongoing commitment to building trust with customers, Atlassian will be implementing the Secret scanning feature for Data Center apps. This initiative is part of our ongoing effort to ensure the safety and integrity of Marketplace apps.
The Secret Scanning for Atlassian Data Center Marketplace Apps is a security process designed to detect hardcoded secrets such as API keys, credentials, and tokens within app binaries (JAR files). By identifying and mitigating these vulnerabilities, the scanner helps prevent accidental exposure of sensitive information, reduces the risk of unauthorized access, and supports Atlassian’s commitment to a secure Marketplace ecosystem.
We use our internal Secret Scanning solution built using open-source secret detectors like trufflehog. Additionally, we validate detected secrets to avoid false positives. Furthermore, we have a list of sinks that can accept secrets in the Atlassian plugin SDK. Constants that flow into these sinks will be flagged as a hardcoded secret.
If a valid secret is found in the JAR, a security vulnerability ticket will be raised with the severity of Critical (9.8). This has a higher severity rating than secrets found in Forge apps, since the JAR files are publicly available.
All new/updated app (major/minor/patch) versions undergo Secret Scans. This ensures that any secrets in new apps or updated versions are promptly detected.
Either manually audit your source code or consider implementing tools like trufflehog in your development environment to prevent sensitive tokens from being committed. If the secret is an API token of some sort, ensure that you revoke the secret as well.
If the Secret Scanner detects a secret during the App Onboarding phase, the app will not be published until the issue is resolved. The field App Version Visibility will be set to Unpublished for findings arising from onboarding scans. As the app has not been published to the marketplace yet, these tickets are not subject to the resolution timeframes.
For further information on this topic, please refer to the process associated with scanning apps before they are published on the marketplace.
Apps cannot opt out of the Secret Scanning process at this time.
Partners can contact Atlassian by submitting their request through our service desk.
Rate this page: