Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira's GitHub integration requires write access - thoughts?

John Cross
John Cross December 7, 2022

We want to set up integration between Jira and GitHub to start to pull useful information about branches, commits etc into Jira issues. However, it has been pointed out that the integration requires read AND write access. I understand that write access is needed to create branches from Jira but this has raised some security questions at my company.

I am interested in anyone's thoughts on this? Does the benefit of being able to create branches from Jira outweigh the increased security risk? Is there a way of creating the integration so that its read only?

All thoughts and views welcome!

Thanks!

John

Comment
Watch
Like Be the first to like this
614 views

1 comment

Comment

Log in or Sign up to comment
Marta Woźniak-Semeniuk
Marta Woźniak-Semeniuk
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 7, 2022

Hey @John Cross 

GitHub actually adressed this concerns in their FAQ here https://github.com/atlassian/github-for-jira/blob/main/docs/FAQs.md

"What about pull requests, contents and issues? I noticed I need to grant read and write permissions. Why is this needed?

A: This is needed so our app can create links to Jira issues from pull request or issue comments. When you create a comment and include the issue key surrounded by square brackets, our app while ping Jira to see if that issue key exists in a project in Jira and, if it finds a matching issue, will create a link for easy navigation. As for contents, we need the write access so we can create a branch on your request."

Like
Reply
John Cross
John Cross December 7, 2022

Thanks for the reply!

I have already read the FAQ and understand that the write access is needed so that Jira can create branches.

I am wondering whether anyone has any thoughts or concerns around that? By granting write access we are allowing Jira (and by extension Atlassian) to change the content of our repositories. I know that is not the intended purpose - but it is still possible.

I dont have any strong views on this myself but I know that some in our security team do. I am curious what other people think.

Like
John Cross
John Cross December 7, 2022

Another way to think about it...

Imagine Atlassian own a parking lot and I own a very valuable car. I want to use the Atlassian parking lot one day but I am told that I need to leave the keys to my car with Atlassian to do so. I am reassured by Atlassian that they wont unlock or move the car or allow anyone inside of it and they only want the keys in case the alarm malfunctions and needs to be reset.

I dont get to see where Atlassian keeps my car keys and I only have their word on what they will use the keys for.

Should I trust them at their word and leave the keys with them?

I'm inclined to do as Atlassian ask because they are quite reputible but my friend, who is an expert on such things, is advising me not to do it. 

So how should I proceed?

Like

Recommended Learning For You

Level up your skills with Atlassian learning

Atlassian DevOps Essentials

Atlassian logo

Learn to manage the product lifecycle by building, automating, and improving processes with Atlassian's approach to DevOps.

1.7h Intermediate
On Demand

Jira Automation

Jira Software

Reduce project complexity and optimize your team's processes through the power of automation.

1.6h Intermediate
On Demand

Bitbucket Pipelines Configuration

Bitbucket

Build better software and release more often by learning how to implement a CI/CD solution with Bitbucket Pipelines.

5h Intermediate
On Demand
groups-icon
DevOps
TAGS
AUG Leaders

Atlassian Community Events

    See all events