HashiCorp Cloud Platform
scan jira
Note
You must have version 0.5.0 or higher of the Vault Radar CLI installed.
To check the current version of your CLI, use the version command.
The scan jira
command is used for scanning an Atlassian Jira Cloud or Jira Server
instance. We currently support scanning the latest version of Jira issue
description and all issue comments.
Authentication
The vault-radar
needs some authentication credentials in order to be able to
make requests to the Jira Cloud instance.
Jira Cloud
This means your instance is hosted by Atlassian, and your instance URL should have ".atlassian.net" in it.
For cloud, there's only one supported patern and it requires an Atlassian API Token and the email of the account that the token belongs to.
In order to provide the information to vault-radar
, assign the appropriate
values to both of these environment variables:
Jira Server
For self hosted versions of Jira, there are up to 2 different patterns possible.
Jira Software Version 8.14 and higher support creating a Personal Access Token
for a
user.
The token will have all the same access rights as the user who creates it. To
use the token set the following environment variable to the generated token:
JIRA_PERSONAL_ACCESS_TOKEN
Using a personal access token is more secure and should be the preferred access pattern. A personal access token is easier to revoke and regenerate, and generally has a smaller blast radius than a password.
All versions of Jira server supports authorization using the Username (not the email), and Password. To authenticate using these credentials set both of these environment variables:
Usage
Usage: vault-radar scan jira [options]
Command options
--url, -u
: The url of the Jira instance to scan (required)--project-key, -p
: Specifies the Jira project to scan--issue-key, -i
: Specifies the Jira issue to scan--outfile, -o
: Specifies the file to store information about found secrets--format, -f
: Specifies the output format, csv and json are supported. Defaults to csv--baseline, -b
: Specifies the file with previous scan results. Only new secrets will be reported.--limit, -l
: Specifies the maximum number of secrets to be reported. The scan will stop when the limit is reached--issue-limit
: Specifies the maximum number of Jira issues to scan--index-file
: Specifies the index file path to use in order to determine which risks are Vaulted--offline
: Specifies that the scan should be run in offline mode, without connecting to HCP--disable-ui
: Specifies that the scan summary should not be logged to stdout--skip-activeness
: If specified, skips activeness checks
Examples
The following examples all assume you have already set the appropriate environment variable or that you intend to include them as part of the command you run.
Scan an issue
scan an issue and write the results to an outfile in CSV format, this is the default format for output.
$ vault-radar scan jira -u <INSTANCE URL> -i <ISSUE ID> -o <PATH TO OUTPUT>.csv
Scan an issue and output JSON
scan an issue and write the results to an outfile in JSON format.
$ vault-radar scan jira -u <INSTANCE URL> -i <ISSUE ID> \
-o <PATH TO OUTPUT>.json \
-f json
Scan a Project
Scan a project and write the results to an outfile.
$ vault-radar scan jira -u <INSTANCE URL> -p <PROJECT KEY> \
-o <PATH TO OUTPUT>.csv
Scan using a baseline file
Perform a scan using a previous scan's result and write the new changes to an outfile.
$ vault-radar scan jira -u <INSTANCE URL> -p <PROJECT KEY> \
-b <PATH TO BASELINE> \
-o <PATH TO OUTPUT>.csv
HCP connection scanning behavior
The default behavior of scan commands is to require an HCP cloud connection to scan. This is to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. In order to populate the HCP connection information needed, refer to the HCP upload page.
To allow for scanning to continue working without the need for HCP cloud
connection you can use the new --offline
flag as such.
$ vault-radar scan jira --offline -u <INSTANCE URL> -p <PROJECT KEY> \
-o <PATH TO OUTPUT>.csv
Scan using a Vault index file
Perform a scan using a generated vault index and write the results to an outfile.
$ vault-radar scan jira -u <INSTANCE URL> -p <PROJECT KEY> \
--index-file <PATH TO VAULT INDEX>.jsonl \
-o <PATH TO OUTPUT>.csv
Scan and restrict the number of secrets found
Scan a project and write the results to an outfile and stop scanning when the defined number of secrets are found.
$ vault-radar scan jira -u <INSTANCE URL> -p <PROJECT KEY> \
-o <PATH TO OUTPUT>.csv \
-l <NUM OF SECRETS>
Scan and restrict the number of issues scanned
Scan a project and write the results to an outfile and stop scanning when the defined number of issues has been scanned.
$ vault-radar scan jira -u <INSTANCE URL> -p <PROJECT KEY> \
-o <PATH TO OUTPUT>.csv \
--issue-limit <NUM OF ISSUES>