Jira Plugins

SecureFlag Knowledge Base for Jira Plugins

Contextual software security training for Jira issues, powered by the SecureFlag knowledge base.

This app responds to issues that mention security vulnerabilities, with a recommended lab and information from the SecureFlag Knowledge Base. Each reply includes an overview of everything a developer needs to know in order to understand and remediate a given type of vulnerability, including example code!

We know that not all developers are security professionals, so CWE (Common Weakness Enumeration) numbers for common vulnerabilities are mapped to the Knowledge Base, providing a description of the vulnerability that is quick and easy to use and apply.

Jira Cloud Plugin

Jira Data Center Plugin

Jira Cloud Plugin

Installation

Access the app via the Atlassian marketplace here .

Click the Get it now button and select the site on which you wish to install the app.

Admin Settings

Jira administrators can configure:

Project Filter: Controls the app's availability for specific projects.
Issue Type & Label Filter: Restricts the app's visibility by targeting specific issue types and labels.
Match Issue Title Only: Choose whether matching uses only the issue title, or the full title and description for broader context.
AI Enhanced Matching: Enables AI-powered knowledge base matching for more accurate, context-aware results.

Accessing the Configuration

Navigate to the Apps section from the left-hand panel, click the "⋯" (More actions) icon, and select Manage apps.
In Manage apps, you may see a notification stating that app management has moved to Administration. Click Take me there to continue.
Locate the app in the list, select the "⋯" icon, and choose Configure to access its settings.

Configuration Options

Plugin Visibility Settings

Project Filter: Enable this toggle to restrict the app to specific projects.
Issue Types & Labels Filter: Enable this toggle to restrict the app by issue type or label.

Once a filter is enabled, use the corresponding multi-select dropdown to select the applicable projects, issue types, or labels.

Note: If a filter toggle is turned off, the app will remain active for all options in that category by default.

Match Issue Title Only

Match Title Only: Enable this toggle to limit matching to the issue title only.

When the toggle is off, matching uses the full issue title and description. This is the default behavior.

AI Enhanced Matching

Enable AI Enhanced Matching: Enable this toggle to activate AI-enhanced knowledge base matching.
SecureFlag API Access Token: Enter the API access token generated in the SecureFlag Management Portal.

How to generate SecureFlag API Access Token:

Log in to SecureFlag as an Organization Admin. In the Management Portal, click the Settings icon in the top-right corner of the navigation bar.
Scroll to the API Access Tokens section. Select either Read knowledge base or Full Access as the scope, then enter a name for the token and click Generate.
Copy and save the token displayed in the modal as it will not be shown again.

Saving the configuration

After configuring your settings, click Save to apply the changes.

Usage

Simply mention a software vulnerability by name or CWE number in an issue, in either the title or body, and the bot will reply. Common abbreviations are supported as well.

For example:

Hey, there's a XXE vulnerability here. Please fix ASAP.

Hm, there is another XML Entity Expansion vulnerability. Please audit all HTML forms.

The above steps will instigate a response like the one below:

Jira Data Center Plugin

Installation

Before installing the app, check that your Jira instance can access the knowledge-base-api.secureflag.com and knowledge-base.secureflag.com domains, as these are necessary for the app to work. If you have a firewall, it may interfere. These can be tested by running the following:

curl --silent -i https://knowledge-base-api.secureflag.com/vuln/extract/markdown --data '{}' | head -n 1

This should return HTTP/2 400.

curl --silent -i https://knowledge-base.secureflag.com | head -n 1

This should return HTTP/2 200.

Installing directly on the Jira instance:

Log in to your instance of Jira as an admin.
Select the Settings dropdown menu (gear icon on the top right) and choose Manage apps.
Select Find new apps from the left-hand menu.
Once the screen loads, type SecureFlag Knowledge Base in the search bar to find the appropriate app version.
Select Install and follow the prompts to install the app.

Alternatively, you can install the app via Atlassian Marketplace as follows:

Click the Get it now button to download the plugin .obr file.
Within Jira, navigate to the Manage apps or Manage add-ons page. This can be done by clicking on the settings icon at the top right, and clicking either Manage apps or Add-ons, depending on your Jira version. Then, from the sidebar on the left, go to Manage add-ons or Manage apps.
Click on the Upload app link. Then, click Choose File and navigate to where the knowledgebase-X.X.X.obr file was downloaded. Select it.
Click Upload to install the plugin.
A progress bar should be presented. Wait for Jira to finish installing the plugin.
Done!

Admin Settings

Jira administrators can configure:

Project Filter: Control the app's availability for specific projects.
Issue Type & Label Filter: Restrict the app's visibility by targeting specific issue types and labels.
Proxy Settings: Route app traffic through a proxy, with configurable host and port for environments with restricted outbound network access.
Match Issue Title Only: Choose whether matching uses only the issue title or the full title and description for broader context.
AI Enhanced Matching: Enable AI-powered knowledge base matching for more accurate, context-aware results.

Accessing the Configuration

Navigate to Settings (the gear icon on the top right) in the top navigation bar and select Manage apps.
Select Manage apps from the left navigation pane.
Locate the app in the list and click on it to open the details view.
Click Configure to access the settings.