Manage GitHub Advanced Security vulnerabilities in Jira

Security in Jira - Illustration for Blog Option 1 (4).png

Software development isn’t just multi-disciplinary. It’s multi-tool. Each organization has its own needs and we want you to use the tools that fit yours. That includes security, where our research found from small businesses through enterprises, most organizations use more than 2.8 security tools on average. 

And that’s okay. Why? We launched Security in Jira back in June with a great set of partners in Snyk, Mend, Lacework, Stackhawk, and JFrog. Since then, we’ve watched our mutual customers scale their DevSecOps practices without ruining their developer experience. That's because the vulnerabilities flowing from any of those tools came together in Jira Software. 

From the start of development, it has been Atlassian’s goal to expand the support of third-party security tools to meet our customer's needs. Today we’re excited to add support for GitHub Advanced Security.

 

Security in Jira now supports GitHub Advanced Security

Wait. Aren’t GitHub and GitHub Actions already connected with Jira Software to make work visible to the whole team? Yes, they are. Now, that same integrations’ functionality extends to security.  Security in Jira will support customers who use GitHub Advanced Security, and those who use the free security features for public repositories.

 

Scale remediation activities using Jira Software

DevSecOps asks a lot of developers. Not only are you writing code, managing technical debt, and fixing bugs, but you also now have to ensure all of it’s secure. And security vulnerabilities are everywhere.

Developers can’t just turn on notifications for every vulnerability that gets identified. Not only is that distracting, it’s inefficient and error-prone. That’s where Security in Jira comes in. It takes the burden off developers to find the signal through the noise to manage vulnerabilities in their planning rituals.

We want your team to spend time building products, not status updates. We surface the data with context so you can act. Using Security in Jira you can easily prioritize vulnerabilities across tools and capture them in your sprint or backlog.

Let’s get started.

 

Help secure your code with real vulnerability management

GitHub triage v2.gif

We’re big fans of today’s security tools. They build sophisticated vulnerability detection right into the development process. GitHub Advanced Security handles this with ease. GitHub users can find all the details here.

Close the feedback loop on identified vulnerabilities with Security in Jira. Security in Jira is designed for your multi-tool security solution. It makes adopting GitHub Advanced Security as part of a security toolset seamless. Developers don’t have to manually move data between tools. Your vulnerabilities are centralized in Jira - where you already do your planning.

Prioritize and assign vulnerabilities. The context of the vulnerability is automatically captured in the issue. Track the progress of work without status updates.

 

Set up GitHub Advanced Security in Jira

If you already have the GitHub app installed, open the new Security tab to get started and you’re nearly there. If not, check out this Developer’s Edge video on configuring the GitHub integration.

GitHub blog post - video 1.gif

Click finish setup in the Security tab and you’ll find the GitHub Security app nearly set up.

 

GitHub blog post - video 2.gif
Just add a security container and you’re ready to go.

 

GitHub blog post - video 3.gif
GitHub vulnerabilities will begin to populate the Security tab. You can always click through on a security container to see it in GitHub.

 

That’s it. You’re ready to add GitHub Security to your security tools with Security in Jira.
We can’t wait for you to try it. We’re always here to help you bring security into your planning process. Drop a comment below with any questions or reactions and either I or Daani here - the product manager for security in Jira - will do our best to answer.

 

Daani waving (1).gif

15 comments

Maksym Ivanchenko September 21, 2023

Just in time :)

Like Scott White likes this
Jackie Huynh
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 21, 2023

This is great! -- However, we noticed the Jira App on GitHub is now requiring write access to "Contents". Before it was just read-only. What is that for?

Like # people like this
Reid Gould
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 21, 2023

Cool! However I have the same question as Jackie, Why does it need write access to "Contents"?

Like Scott White likes this
Jeremy Bowman
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 22, 2023

It looks like it's respecting the subset of repositories in the linked GitHub organization that the Jira GitHub app has been granted permission to (which is good), but new additions to that list don't seem to be propagating to the set of available "security containers" in Jira even 24 hours after making the change.  Is this a bug, or is there some other setting that also needs to be updated after changing the GitHub app's configuration?

Scott White
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 22, 2023

Hi all, thanks for the questions @Jackie Huynh and @Reid Gould ! You’re seeing the permission request for write access to content because the GitHub app includes the “Create Branch” feature that is used when you connect a repository. This is the most narrow permission set GitHub has which includes the ability for Jira Software to create new branches. Atlassian added the “Create Branch” feature in November 2022. If you did not accept write access at that time you’ll be required to do so when you install the new security feature in order to use the security permissions. Let me know if that helps and if you have any other questions!

Like Jackie Huynh likes this
Akshay Singh September 28, 2023

Great feature! Anyone else not seeing all of their repos in the GHAS toolchain dropdown?

Daani Faiz
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 2, 2023

@Akshay Singh Thanks for your question and glad to hear you like the feature!

The container list will only show a maximum of 100 repositories in the dropdown at a time. To find a specific repo that is not visible in the list you will need to type in the repo name in the dropdown to narrow down the search

Akshay Singh October 3, 2023

@Daani Faiz Thank you for the response. For some reason, I'm not seeing some repos in the dropdown even when I search for it. You can find more details here. - https://community.atlassian.com/t5/Jira-questions/Cannot-see-my-repo-in-GitHub-Advanced-Security-toolchain/qaq-p/2491414.

Thank You

David Blank
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 4, 2023

Wow! I love how you made this so easy!

Like Daani Faiz likes this
mworthington
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 10, 2023

This plugin came at just the right time.

One question/feature request.

We started using the new Jira Automation trigger that came along with this to automatically create and assign tickets for new security findings. 

I am running into cases where we need to "dismiss" a finding in GHAS, most commonly, because it is a false positive. Problem is that now I have to close two tickets, one in GHAS and one in Jira.

Is there a way to have Jira Automation update the status of the Jira ticket and/or GHAS ticket when one of them changes?

Like Daani Faiz likes this
Daani Faiz
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 10, 2023


@mworthington Thanks for the feature request and feedback! 

I understand the problem you are facing. We currently do not support the ability to use automations to update issues linked to vulnerabilities or send data back to GHAS to trigger a change. We are looking into both these capabilities and will provide updates through community as we progress with them.

 

Like mworthington likes this
Sami Guirguis
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 30, 2023

Hi,

 

Can you elaborate on the level of access required ?

 

Does Jira pull the actual secrets from GitHub ?

 

Thanks

Farid Driouch
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 13, 2024

We were so excited about this feature but found out there are no ways to automate issues transitions based on the vulnerability field (open OR closed).

This renders the whole feature much less appealing as it requires manual interventions to get the tickets moving through the workflow.

We'll be back at it when the vulnerability field can be used in automation for something else than "found" or "link".

So frustrating!

Like mworthington likes this
Sarita Tewari June 13, 2024

Hi, thanks for the post!! Furthermore, for vulnerabilities found on the container how to create issues when found in a specific branch (ex: develop, release) 

Valter Oliveira
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 23, 2024

We’ve been using this feature for a while, but I’m encountering an issue where vulnerabilities fixed and closed in the GitHub Dependabot repository are not being synced or closed on the Jira side. Additionally, I’m unable to find an option to manually dismiss these reports in Jira. Is there a way to either automate this process or provide manual control for dismissing these fixed vulnerabilities?

TAGS
AUG Leaders

Atlassian Community Events