Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Jira's GitHub integration requires write access - thoughts?

John Cross December 7, 2022

We want to set up integration between Jira and GitHub to start to pull useful information about branches, commits etc into Jira issues. However, it has been pointed out that the integration requires read AND write access. I understand that write access is needed to create branches from Jira but this has raised some security questions at my company.

I am interested in anyone's thoughts on this? Does the benefit of being able to create branches from Jira outweigh the increased security risk? Is there a way of creating the integration so that its read only?

All thoughts and views welcome!

Thanks!

John

1 comment

Comment

Log in or Sign up to comment
Marta Woźniak-Semeniuk
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 7, 2022

Hey @John Cross 

GitHub actually adressed this concerns in their FAQ here https://github.com/atlassian/github-for-jira/blob/main/docs/FAQs.md

"What about pull requests, contents and issues? I noticed I need to grant read and write permissions. Why is this needed?

A: This is needed so our app can create links to Jira issues from pull request or issue comments. When you create a comment and include the issue key surrounded by square brackets, our app while ping Jira to see if that issue key exists in a project in Jira and, if it finds a matching issue, will create a link for easy navigation. As for contents, we need the write access so we can create a branch on your request."

John Cross December 7, 2022

Thanks for the reply!

I have already read the FAQ and understand that the write access is needed so that Jira can create branches.

I am wondering whether anyone has any thoughts or concerns around that? By granting write access we are allowing Jira (and by extension Atlassian) to change the content of our repositories. I know that is not the intended purpose - but it is still possible.

I dont have any strong views on this myself but I know that some in our security team do. I am curious what other people think.

John Cross December 7, 2022

Another way to think about it...

Imagine Atlassian own a parking lot and I own a very valuable car. I want to use the Atlassian parking lot one day but I am told that I need to leave the keys to my car with Atlassian to do so. I am reassured by Atlassian that they wont unlock or move the car or allow anyone inside of it and they only want the keys in case the alarm malfunctions and needs to be reset.

I dont get to see where Atlassian keeps my car keys and I only have their word on what they will use the keys for.

Should I trust them at their word and leave the keys with them?

I'm inclined to do as Atlassian ask because they are quite reputible but my friend, who is an expert on such things, is advising me not to do it. 

So how should I proceed?

TAGS
AUG Leaders

Atlassian Community Events