Haoxi Tan


March 20, 2024

How to Scan Jira for Secrets

How to Scan Jira for Secrets

Haoxi Tan

March 20, 2024

What is Jira and why does it have secrets?

Jira is a project management platform made by Atlassian. It's commonly used to manage agile software projects as well as support desks, and integrates with other Atlassian products like Confluence and Bitbucket. Jira tickets contain information related to software tasks, such as development, deployment and infrastructure setup, which is why API keys and credentials can be found throughout Jira.

What is TruffleHog and how does it work?

To scan the contents of a Jira page for secrets, use a secret scanning tool like TruffleHog. TruffleHog is an open-source secrets scanning tool that detects 800 different types of secrets, and verifies secrets by checking the credentials against the actual SaaS providers’ APIs. 

TruffleHog installation instructions can be found here. Now, let’s step through how to scan Jira for secrets.

Scanning Jira

Navigate to the page on Jira that you believe may contain a secret. 

Copy the entire contents of that page via select all (available via the Ctrl-A or Cmd-A keyboard shortcut based on your operating system).

Paste the copied data into a text file on your local machine and then save that file.

Why do you need to copy the entire document? To scan data lightning-fast, some of the secrets that TruffleHog detects require a keyword related to that secret type to be located nearby. Copying the entire Jira document will ensure that context is provided. Read more about our optimizations using keyword preflighting and the Aho-Corasick algorithm here.

Then, use Trufflehog's filesystem command to scan that file for secrets.

trufflehog filesystem jira.txt

Any verified secrets will be shown in green, while unverified results are shown in the normal color of your terminal output.

An unverified AWS access key output by trufflehog

To only see verified results, add the --only-verified flag:

trufflehog filesystem jira.txt --only-verified

After you’re done scanning, we recommend erasing the files from your machine. 

TruffleHog’s Native Jira Integration

The copy/paste method outlined above is effective in detecting secrets; however, it is time-consuming. If you work in an organization that requires scanning a large volume of Jira data, consider evaluating TruffleHog Enterprise

TruffleHog Enterprise scans Jira for secrets using Jira’s API and requires no manual intervention. Additionally, TruffleHog Enterprise looks through Jira version control (history) to ensure secrets aren’t buried in old page edits and other places that secrets tend to hide.

For more information on TruffleHog Enterprise, please visit this link