Skip to Content
SCA & DependenciesJira Integration

Jira Integration

Connect your Jira instance to CodeStax to create and track remediation tickets directly from SCA vulnerability findings.

Connecting Jira

Jira connection credentials are configured in SCA > Global Settings, on the Jira tab (not on the SCA > Jira page, which is used only to create and track tickets). Provide the following:

  • Jira Base URL — Your Atlassian instance URL (e.g., https://yourorg.atlassian.net).
  • Project Key — The default Jira project where tickets will be created (e.g., SEC).
  • API Token — A Jira API token generated from your Atlassian account settings. This is stored encrypted at rest.
  • Assignee Email (optional) — Default assignee for new tickets.

Save your Jira settings to enable ticket creation. Once configured, use the SCA > Jira page to create and track tickets from vulnerability findings.

Configuring Bidirectional Status Sync

After saving Jira, CodeStax displays a callback URL and a webhook secret. The callback URL is unique to your organization and Jira site. Copy the secret when it is shown; CodeStax stores it encrypted and does not display it again.

Configure Jira automation to send issue-updated events to the callback URL and include the secret in this request header:

X-CodeStax-Jira-Secret: <your webhook secret>

CodeStax authenticates the site before reading or applying the event. Jira issue keys such as SEC-1 are matched only inside that authenticated organization and Jira site, so identical project keys in another customer account cannot update your findings.

Rotate the secret from the Jira integration settings if it may have been exposed. The callback URL remains stable. The previous secret continues to work for 24 hours so you can update Jira without losing events; after that grace period it is rejected automatically. Treat both secrets as credentials and never place them in source control or ticket content.

Creating Tickets from Vulnerabilities

Single Ticket

From any vulnerability row in the SCA results table, click the Create Jira Ticket button. The ticket is pre-populated with:

  • Summary — CVE ID and affected package name.
  • Description — Severity, installed version, fixed version, advisory link, and remediation guidance.
  • Priority — Mapped from vulnerability severity (see below).

Bulk Ticket Creation

Select multiple vulnerabilities using the checkboxes, then click Bulk Create Tickets. One ticket is created per selected vulnerability. A progress indicator shows creation status.

Ticket Contents

Each Jira ticket includes:

FieldValue
CVE IDe.g., CVE-2024-1234
SeverityCritical, High, Medium, or Low
PackagePackage name and installed version
Fix VersionThe minimum version that resolves the vulnerability
Advisory URLLink to the NVD or GitHub advisory
CVSS ScoreNumeric score when available

Viewing Linked Tickets

The Jira column in the SCA results table shows linked ticket keys (e.g., SEC-142). Click any key to open the ticket in Jira. A status badge displays the current Jira status (To Do, In Progress, Done).

Priority Mapping

Vulnerability severity maps to Jira priority automatically:

SeverityJira Priority
CriticalHighest
HighHigh
MediumMedium
LowLow

Best Practices

  • Use a dedicated Jira project for security findings to keep them organized and apply project-level automation.
  • Set up Jira automation rules to notify developers when tickets are assigned.
  • Combine with SLA policies so that Jira due dates align with your remediation deadlines.
  • Use bulk creation after scans to quickly triage and assign new critical and high findings.
  • Close tickets in Jira once the fix is verified by a subsequent scan; CodeStax does not auto-close tickets.
  • Limit API token scope to the specific project for least-privilege access.