Jira using OAuth
Integrating Invicti Platform with Jira automates vulnerability tracking. Instead of manually creating tickets, Invicti automatically generates Jira issues for detected vulnerabilities, streamlining your software development and bug-fixing process, and allowing you to prioritize and remediate issues. This integration ensures security is built into your development workflow.
This document explains how to integrate Invicti with Jira in 4 steps:
- Step 1: Configure Invicti
- Step 2: Submit vulnerabilities to Jira
- Step 3: Configure jira integration Webhook (optional)
- Step 4: Test your Webhook functionality
Prerequisites
SSL certificate requirements
While using self-signed certificates with Invicti On-Premises and/or Jira On-Premises is possible, it is not supported for setups that involve integrating Invicti with Jira:
- If you are using Invicti On-Premises, the Invicti configuration must have a valid SSL/TLS certificate, signed by a globally trusted certificate authority.
- If you are using Jira On-Premises, the Jira configuration must have a valid SSL/TLS certificate, signed by a globally trusted certificate authority. Note: The configuration of SSL/TLS certificates on your Jira server is outside the scope of Invicti support.
- Be aware that Jira requires this configuration, particularly for webhooks.
Other requirements
Before integrating Invicti with JIRA, ensure the following requirements are met:
- You have a valid JIRA account.
- A JIRA project has been created where all the found vulnerabilities are going to be sent.
- JIRA work item types are configured to align with Invicti severity levels.
- Your JIRA system allows incoming API requests. Follow the appropriate whitelisting instructions below:
- EU-region: Whitelisting requirements
- US-region: Whitelisting requirements
Step 1: Configure Invicti
- In Invicti, select Integrations from the left-side menu.
- Switch to the All integrations tab.
- Scroll down to the Issues trackers and select Configure in the Jira tile.
- In the Configure and authorizate section
- Enter a name for your integration. For this example, we have used Invicti issues.
- Fill in the Jira base URL.
- Choose the OAuth 2 Authentication type.
- Click Validate & load projects to load your project and issue details.
- On the new window, select Accept to allow Invicti Platform to access your Atlasian account.
- In the Project configuration section, provide the following details:
- Select a Project from the drop-down list. This is where the found vulnerabilities are going to be sent.
- Specify the Issue type as Vulnerability.
- Issue title formatting: Choose the format for the work item title.
- Included details: Use the drop-down menu to select the information to include in the work item details.
- Optionally, select Yes to include a link to the report and attach a PDF report.
- Click Next.
- In the Issue mappings section:
- Copy and save the Webhook URL value for later use in the JIRA configuration.
- Set your Bi-directional issue status mappings - you can choose any status from your JIRA configuration.
- Next, assign field values. These items change based on the selected Project and Work item type.
- Assign Field mappings: Map Invicti Vulnerability Severity levels to Jira severity values.
- In the Field mappings panel assign Invicti fields to Jira fields or values. You have the option to add more field values. Use the Add New button to do so.
- Use the Create sample issue to test the configuration. Then, select Save and Finish to complete the setup.
- The vulnerability is now created and visible in your Work items list in the selected Jira project.
Step 2: Submit vulnerabilities to Jira
After identifying vulnerabilities, you can forward them to the designated issue tracker. The process is consistent across all supported issue trackers. For detailed instructions, refer to the linked documents.
Step 3: Configure JIRA integration WebHook (optional)
- In your JIRA interface, go to Administration > System > Advanced > WebHooks in the sidebar:
- Click Create a WebHook and start with the configuration:
- Enter the Name (e.g., Invicti WebHook listener).
- Paste the copied Webhook URL into the URL field.
- Optionally, provide a Secret and Description for your WebHook.
- Events: Choose Issue -> updated event for WebHook notification (other event types are NOT supported).
- Scroll to the bottom and click Create.
Step 4: Test your webhook functionality
- If you have not done so during step 3, navigate to the Jira integration in Invicti and click Create sample issue.
- In JIRA navigate to the JIRA ticket and adjust the status to False positive:
- In Invicti, navigate to the Vulnerabilities page and filter the list by status = False Positive: