github-for-jira icon indicating copy to clipboard operation
github-for-jira copied to clipboard

Published 20 hours ago verified publisher icon atlassian

Feature request: Creation of bug in Jira based on Github security alert for vulnerable dependencies

Open elsewhat opened this issue 7 years ago • 3 comments

In 2018, Github introduced security alerts for vulnerable dependencies in repos ref https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/

This is an important security feature and many organisation would like to:

  1. Act immediately by evaluating the impact the vulnerability has on their solutions
  2. Keep a paper trail on decision process for the vulnerability.

To achive this, many use Jira today. It would make sense to extend the Github to Jira extension to allow the creation of new bug issues of high criticality when a vulnerability alert is triggered for a given Github repo. Since April 2018 there exist a webhook in Github for the vulnerability alerts which can be used for this new feature ref https://developer.github.com/changes/2018-04-24-preview-dependency-graph-and-vulnerability-hooks/

elsewhat avatar Nov 29 '18 12:11 elsewhat

Hi @elsewhat. I'm from a team at Atlassian that is currently in the process of migrating the ownership over to us from GitHub. As a part of this, we're currently going through the backlog of issues and prs to see what can still be addressed and what should be closed.

I've flagged this with the 'to-triage' label so my team can discuss. We'll keep you posted on the status of this.

rachellerathbone avatar May 17 '21 06:05 rachellerathbone

If you need inspiration we build a GitHub Action for mapping security alerts to Jira tickets: https://github.com/reload/github-security-jira

arnested avatar May 17 '21 12:05 arnested

If you are looking at integrating code scanning alerts with Jira (both ways) - take a look at https://github.com/github/ghas-jira-integration

datanerd avatar Jun 22 '22 12:06 datanerd

Hey @elsewhat. We merged support for GH's code scanning alert webhook back in April. Is this what you are after? https://github.com/atlassian/github-for-jira/pull/712

rachellerathbone avatar Aug 25 '22 06:08 rachellerathbone

The code scanning alert webhook sounds great, thank you! You can consider this issue closed.

On Thu, 25 Aug 2022, 08:33 Rachelle Rathbone, @.***> wrote:

Hey @elsewhat https://github.com/elsewhat. We merged support for GH's code scanning alert webhook back in April. Is this what you are after? #712 https://github.com/atlassian/github-for-jira/pull/712

— Reply to this email directly, view it on GitHub https://github.com/atlassian/github-for-jira/issues/150#issuecomment-1226835256, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIUYJZJOESSGB4SI3DUDBDV24HVLANCNFSM4GHGIF6Q . You are receiving this because you were mentioned.Message ID: @.***>

elsewhat avatar Aug 25 '22 06:08 elsewhat

Awesome!

rachellerathbone avatar Aug 25 '22 10:08 rachellerathbone

Correct me if I'm wrong, @elsewhat, but wasn't this issue for vulnerable dependencies like Dependabot alerts? #712 is for code scanning like finding vulnerable code, no? I'm still hoping for Dependabot support.

cgriego avatar Aug 25 '22 18:08 cgriego