Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,462,110
Community Members
 
Community Events
176
Community Groups

Jira's GitHub integration requires write access - thoughts?

We want to set up integration between Jira and GitHub to start to pull useful information about branches, commits etc into Jira issues. However, it has been pointed out that the integration requires read AND write access. I understand that write access is needed to create branches from Jira but this has raised some security questions at my company.

I am interested in anyone's thoughts on this? Does the benefit of being able to create branches from Jira outweigh the increased security risk? Is there a way of creating the integration so that its read only?

All thoughts and views welcome!

Thanks!

John

1 comment

Hey @John Cross 

GitHub actually adressed this concerns in their FAQ here https://github.com/atlassian/github-for-jira/blob/main/docs/FAQs.md

"What about pull requests, contents and issues? I noticed I need to grant read and write permissions. Why is this needed?

A: This is needed so our app can create links to Jira issues from pull request or issue comments. When you create a comment and include the issue key surrounded by square brackets, our app while ping Jira to see if that issue key exists in a project in Jira and, if it finds a matching issue, will create a link for easy navigation. As for contents, we need the write access so we can create a branch on your request."

Thanks for the reply!

I have already read the FAQ and understand that the write access is needed so that Jira can create branches.

I am wondering whether anyone has any thoughts or concerns around that? By granting write access we are allowing Jira (and by extension Atlassian) to change the content of our repositories. I know that is not the intended purpose - but it is still possible.

I dont have any strong views on this myself but I know that some in our security team do. I am curious what other people think.

Another way to think about it...

Imagine Atlassian own a parking lot and I own a very valuable car. I want to use the Atlassian parking lot one day but I am told that I need to leave the keys to my car with Atlassian to do so. I am reassured by Atlassian that they wont unlock or move the car or allow anyone inside of it and they only want the keys in case the alarm malfunctions and needs to be reset.

I dont get to see where Atlassian keeps my car keys and I only have their word on what they will use the keys for.

Should I trust them at their word and leave the keys with them?

I'm inclined to do as Atlassian ask because they are quite reputible but my friend, who is an expert on such things, is advising me not to do it. 

So how should I proceed?

Comment

Log in or Sign up to comment