In today's software development landscape, the wide use of Atlassian products like Jira can inadvertently lead to leaked secrets (API keys). By using TruffleHog to scan for leaked secrets, you can help mitigate this risk. In this blog post, we'll demonstrate how to use TruffleHog to scan your Jira instance for exposed secrets, helping you maintain a secure development environment.
Pre-Work:
You will need a Jira API Key for a service account in order to configure Jira scanning. This key can be provided to you by a Jira administrator at your organization; documentation for which can be found here.
In addition, you will need access to a TruffleHog Enterprise instance. For more information on TruffleHog Enterprise and to explore its full functionality, see https://trufflesecurity.com/trufflehog-enterprise.
Getting Started:
When configuring TruffleHogto scan Jira for leaked secrets, you have two scanning options: hosted or on-prem The hosted option allows you to use TruffleHog's cloud service, simplifying the setup process and offering seamless integration.
On the other hand, the on-prem option gives you full control over the scanning process, allowing you to run TruffleHog within your own infrastructure. To learn more about these options and how to get started, visit our documentation here. We’ll go through both examples, however, the on-prem scanning section assumes that you already have a hosted scanner set up and working.
Scanning Jira with a Hosted Scanner:
From your TruffleHog dashboard, navigate to the Integrations page:
Copy the entire contents of that page via select all (available via the Ctrl-A or Cmd-A keyboard shortcut based on your operating system).
In the upper right hand corner, select “Add Integration”:
Choose “Source” integration:
Search for “Jira” and select the Jira button:
Select the type of integration:
Select the “On Truffle’s servers” option (this is the Hosted Scanner option):
ill out the information for your Jira instance, select how often the scanning should occur (default is every 12 hours), and click “Add Integration”
Scanning Jira with an On-Prem Scanner:
Locally-configured sources are configured in your config.yaml
file under the sources
field. You can learn more about configuring definitions as well as configuring additional sources by visiting our documentation here. TruffleHog’s standard scanning cadence is once every 12 hours, but this is configurable via the yaml
file.
For on-prem Jira instances, you have two authentication options: (1) basic authentication (a username and password), or (2) a personal access token (PAT). For Cloud Jira instances, only a username and api token are compatible.
Configure Scanning Jira with Basic Authentication (Cloud and On-Prem Jira):
Configure Scanning Jira with personal access token (PAT) (On-Prem Jira ONLY):
You have now successfully enabled Jira scanning utilizing your TruffleHog instance. Upon creation, a scan will automatically commence and additional scans will then be run based on the Duration between scans / scanPeriod set during the Jira scanning setup process.
Once a scan completes, navigate to the “Secrets” page to view the live secrets TruffleHog discovered:
To see only the secrets found within Jira, click “Filters” in the upper right hand corner and select “Source Type” from the dropdown:
Then filter by a Source Type of “Jira”