Support
Issue Tracking Systems

Integrating Invicti Enterprise On-Demand with Jira

This document is for:
Invicti Enterprise On-Demand

You can integrate Invicti Enterprise with Jira to streamline your bug fixing process and vulnerability management. 

In today’s agile environment, building vulnerability management into your development pipeline is a must when doing security testing. So, any vulnerability that needs fixing must be turned into a ticket in the developers’ existing system. If this is done manually, managing vulnerability tickets adds a lot of extra work for everyone. If created automatically, it streamlines the vulnerability resolution. 

Thanks to the integration between Invicti Enterprise and Jira, you can create tickets and assign them to developers automatically. Also, you can do the following: 

  • Monitoring the vulnerability fixing process
  • Verifying fixes (if there is 2-way integration)
  • Reopening tickets, if necessary. 
  • Closing tickets. 

So, with minimal setup, you can embed vulnerability scanning into your Jira-based development pipeline to ensure that security issues are reported and fixed without delay.

Jira

This topic describes how to integrate Invicti Enterprise On-Demand with Jira. Using the On-Premises? See Integrating Invicti Enterprise On-Premises with Jira.

Using the self-hosted Jira? Make sure Invicti Enterprise On-Demand can communicate with the self-hosted Jira.

Jira fields

This table lists and explains the Jira fields on the New Jira Integration page.

Button/Section/FieldDescription
NameThis is the name of the integration that will be shown elsewhere in Invicti Enterprise.
URLThis is the Jira instance URL.
Username or EmailThis is the username if self-hosted. This is the email address, if hosted by Atlassian.
Access Token or PasswordThis is the access token  (API) or the password of the user. If hosted by Atlassian, enter the API token. If self-hosted, enter your password. 
The API token can be retrieved from https://id.atlassian.com/manage/api-tokens.
Project KeyThis is the project.
Issue TypeThis is the name of the issue type. 
Title FormatThis is the string format that is used to create the issue title.
TemplateThis is the type of issue description template. There are two template types for issue templates: Standard and Detailed. 
The Detailed template has additional fields such as Request and Response. 

Integrating Invicti Enterprise with Jira

Prerequisite

  • Administrator privileges OR the Add/Edit Integration permission in Invicti Enterprise

There are two steps to this integration:

  1. Setting up the connection with Jira instance
  2. Configuring project details for integration
Step 1. How to set up the connection with Jira instance
  1. Log in to Invicti Enterprise.
  2. From the main menu, go to Integrations > New Integration > Jira.
  1. In the Mandatory section, complete the connection details:
    1. Name
    2. URL
    3. Username or Email
    4. Access Token or Password
  2. Select Load Jira Details.

If successful, Invicti displays your project details to continue configuring your integration. Otherwise, Invicti displays an error message. 

Step 2. How to configure your Jira project for integration with Invicti
  1. From the Project Key drop-down, choose your project. OR, start typing your project name or project key to search, then choose your project.
  1. From the Issue Type drop-down, choose the issue type. (For further information about issue types, see What are issue types?)
  2. Enter Title Format. (You can leave it as it is or type your title format including {0}.)
  3. Select Save to save your integration. 


Once saved, the integration appears on the Manage Integrations page. 

You can test your integration by creating a sample issue.

You can further configure your integration, for example, by selecting the assigned person or determining the due day. For further information, see Configuring custom fields.

Creating a sample issue to test the integration
  1. From the main menu, select Integrations > Manage Integrations.
  2. From the Manage Integrations page, next to the relevant Jira integration, select Edit.
  3. Select Create Sample Issue.

Invicti Enterprise exports a sample issue to Jira to test the integration. If successful, the following ticket is opened in Jira: 

How to edit the Jira integration
  1. From the main menu, select Integrations > Manage Integrations.
  2. Next to the relevant Jira integration, select Edit.
  3. Make the necessary changes, and select Save.
How to delete the Jira integration
  1. From the main menu, select Integrations > Manage Integrations.
  2. Next to the relevant Jira integration, select Delete.
  3. From the Delete Integration pop-up, select Delete.
How to clone the Jira integration

You can clone your integration to create as many Jira integrations as you need. However, due to security precautions, access tokens or passwords cannot be cloned. 

  1. From the main menu, select Integrations > Manage Integrations.
  2. Next to the relevant Jira integration, select Clone.
  3. Make the necessary changes, and select Save.

Exporting issues to Jira

There are several ways to send issues to Jira with Invicti Enterprise:

How to export reported issues to projects in Jira
  • Once the integration has been configured, you can configure Invicti Enterprise to automatically send issues to Jira after scanning has been completed. For further information, see Managing Notifications.
  • You can send one or more issues from the Issues page:
    1. From the main menu, select Issues > All Issues
    2. On the Issues page, select one or more issues you want to send.
    3. Select Send To > Jira.

A pop-up is displayed, with a link to the issue you have sent to Jira. If there is an error, this information will be displayed instead.

  • You can send an issue from the Recent Scans page:
  1. From the main menu, select Scans > Recent Scans.
  2. Next to the relevant scan, select Report
  3. Scroll down to the Technical Report section.
  4. From the list of detected issues, select an issue and display its details.
  1. Select Send To > Jira.

You can view the issues you have sent to Jira on the Open issues page. 

If you have already previously submitted this vulnerability to Jira, it will already be accessible. You cannot submit the same issue twice. 

Registering webhook for 2-way integration 

Invicti Enterprise has out-of-the-box support for resolving and reactivating Jira issues according to the scan results, in addition to automatic issue creation. Invicti Enterprise uses user-provided Resolved and Reopened statuses in Jira for this purpose.

To enhance issue synchronization support, Invicti Enterprise also offers webhook support. This enables you to detect any status changes in Jira issues opened by Invicti Enterprise. That can help you:

  • Streamline issue resolution
  • Cut down on communication overhead
  • Allow developers to work on vulnerabilities without leaving the Jira environment

Invicti Enterprise generates a Webhook URL after you save your integration settings. When you register this link as a webhook in your Jira project and enter your preferred Resolved and Reopen statuses, you complete Invicti Enterprise issue synchronization for your integration.

When you change your Jira issue’s status to your preferred Resolved status, the issue is automatically marked as Fixed (Unconfirmed) in Invicti Enterprise and a retest scan is started. And, when you change your Jira issue’s status to your preferred Reopened status, your corresponding Invicti Enterprise issue is automatically marked as Revived.

For further information, see Fix vulnerabilities faster with Invicti’s 2-way Jira integration.

The Webhook Settings field

This table lists and explains the Webhook fields on the Update Jira Integration page.

Button/Section/FieldDescription
Webhook URLThis is the URL you need to enter to Jira to create the 2-way integration.
Reopen StatusThis is the status of the reopened issues or tickets. This can be: To Do or In Progress.
Resolved StatusThis is the status name of the resolved issues or tickets. By default, it is Done.

There are only two categories (To Do and In Progress) for the Reopen status in Jira and there is only a single category for the Resolved status (Done). 

Other categories added afterward are referred to as aliases, and these values cannot be used for integration with Invicti Enterprise. Please pay attention to the category definitions when defining your workflow.

How to register an Invicti Enterprise Jira Integration Webhook
  1. From the main menu, select Integrations > Manage Integrations.
  2. Next to the relevant Jira integration, select Edit.
  3. From the Webhook Settings section, select Copy to clipboard to copy the Webhook URL.
  1. In a separate window, go to Jira.
  2. From the main menu, go to  Settings > System > WebHooks.
  3. On the WebHooks page, select Create a WebHook
  1. In the URL field, paste in the Webhook URL (from step 3). 
  1. In the Issue related events field, select the updated checkbox in the Issue column.
  2. In the Jira Software related events field, enable the Exclude body option on Jira Webhook settings to prevent unnecessary data transfer. If data transfer is turned on, it may interfere with transfer limits and disrupt synchronization. (If you are going to make this change, it is essential to update the integration address.)
  1. Select Create.

After creating a webhook URL and entering it into Jira, if you modify your project details and save it, this changes the webhook URL. So, you need to copy the new webhook URL and paste the new URL into Jira. If you do not, your 2-way integration does not work. 

Configuring custom fields

You can customize your Jira integration thanks to the custom fields. For example, you can choose the person who will be responsible for issues identified by Invicti. Or, you can choose the priority level for the issue. 

You can delete custom fields available or add new fields based on your needs. 

This step is optional but crucial to configure your integration. 

The Jira field mappings field

This table lists and explains the default Jira field mappings on the Jira Integration page.

The following fields appear by default in the drop-down. There may be additional fields based on your project and issue type.

Button/Section/FieldDescription
Assigned toThis is the user to whom the issue is assigned by default.
ReporterThis is the user who reports issues. 
LabelsThese are the issue labels.
ComponentsThese are the components that you need to create on Jira. You can learn more about the components via the Jira support
Typing component names provides the list of component(s) that you can select. You can select more than one component. 
Security LevelThis is the issue security level. You need to define this level in Jira, so you can control which user or group of users can view an issue. If there is no level defined, “No research found” is displayed. For further information, see Configuring issue-level security.
Due DaysThis is the number of days from the date the issue was created to the date it is due.
PriorityThis is the priority of the issue. This is mapped between Invicti and Jira. You can map an Invicti priority level to Jira priority. For example, you can configure a high priority in Invicti to the highest priority in Jira. 
If you don’t map any priority level, Invicti sends all issues as “medium”. If you mapped one level, for example, highest, the rest of the issues will be sent as the medium. 
Epic LinkThis is an epic key. You need to copy the epic key from Jira and paste it into this field.
Epic Name This is the epic name. You can write any name you want. Invicti creates this epic name in Jira. When you send any issue, including sample issue creation, Invicti creates the epic name in Jira. The epic name option appears only if you select the issue type as Epic. Info box > You cannot select an epic name and epic link for the same integration.

Prerequisite

How to add a new field
  1. From the Jira Field Mappings section, select + New Jira Field.
  2. From the Field Name drop-down, select a value. (For this example, we select Priority.)
  1. From the Invicti Security drop-down, select Critical.
  2. From the Jira Value drop-down, select Highest.
  3. Select Save.

Configuring complex fields

In addition to these said custom fields, your project can include complex fields, such as date picker. While mapping such complex fields, you need to enter them in a certain way. For example, you need to use double quotes or square brackets.

How to configure complex fields
  1. From the Jira Field Mappings section, select + New Jira Field.
  2. From the Field Name drop-down, select a value. (For example, Date Picker.)
  3. In the Jira Value, enter the following information, for example.
  1. From the Jira Field Mappings section, select + New Jira Field.
  2. From the Field Name drop-down, select a value. (For example, Release Version.)
  3. In the Jira Value, enter the following information, for example.
  1. From the Jira Field Mappings section, select + New Jira Field.
  2. Now, from the Field Name drop-down, select a value. (For example, Caution.)
  3. In the Jira Value, enter the following information, for example.
  1. Select Create Sample Issue

If successful, Invicti displays a success message and a link to the ticket. 

You can view the issue you have sent to Jira in the following way:

Invicti Help Center

Our Support team is ready to provide you with technical help.

Go to Help Center This will redirect you to the ticketing system.