Jira Integration
Connect your Jira instance to CodeStax to create and track remediation tickets directly from SCA vulnerability findings.
Connecting Jira
Jira connection credentials are configured in SCA > Global Settings, on the Jira tab (not on the SCA > Jira page, which is used only to create and track tickets). Provide the following:
- Jira Base URL — Your Atlassian instance URL (e.g.,
https://yourorg.atlassian.net). - Project Key — The default Jira project where tickets will be created (e.g.,
SEC). - API Token — A Jira API token generated from your Atlassian account settings. This is stored encrypted at rest.
- Assignee Email (optional) — Default assignee for new tickets.
Save your Jira settings to enable ticket creation. Once configured, use the SCA > Jira page to create and track tickets from vulnerability findings.
Configuring Bidirectional Status Sync
After saving Jira, CodeStax displays a callback URL and a webhook secret. The callback URL is unique to your organization and Jira site. Copy the secret when it is shown; CodeStax stores it encrypted and does not display it again.
Configure Jira automation to send issue-updated events to the callback URL and include the secret in this request header:
X-CodeStax-Jira-Secret: <your webhook secret>CodeStax authenticates the site before reading or applying the event. Jira issue keys such as SEC-1 are matched only inside that authenticated organization and Jira site, so identical project keys in another customer account cannot update your findings.
Rotate the secret from the Jira integration settings if it may have been exposed. The callback URL remains stable. The previous secret continues to work for 24 hours so you can update Jira without losing events; after that grace period it is rejected automatically. Treat both secrets as credentials and never place them in source control or ticket content.
Creating Tickets from Vulnerabilities
Single Ticket
From any vulnerability row in the SCA results table, click the Create Jira Ticket button. The ticket is pre-populated with:
- Summary — CVE ID and affected package name.
- Description — Severity, installed version, fixed version, advisory link, and remediation guidance.
- Priority — Mapped from vulnerability severity (see below).
Bulk Ticket Creation
Select multiple vulnerabilities using the checkboxes, then click Bulk Create Tickets. One ticket is created per selected vulnerability. A progress indicator shows creation status.
Ticket Contents
Each Jira ticket includes:
| Field | Value |
|---|---|
| CVE ID | e.g., CVE-2024-1234 |
| Severity | Critical, High, Medium, or Low |
| Package | Package name and installed version |
| Fix Version | The minimum version that resolves the vulnerability |
| Advisory URL | Link to the NVD or GitHub advisory |
| CVSS Score | Numeric score when available |
Viewing Linked Tickets
The Jira column in the SCA results table shows linked ticket keys (e.g., SEC-142). Click any key to open the ticket in Jira. A status badge displays the current Jira status (To Do, In Progress, Done).
Priority Mapping
Vulnerability severity maps to Jira priority automatically:
| Severity | Jira Priority |
|---|---|
| Critical | Highest |
| High | High |
| Medium | Medium |
| Low | Low |
Best Practices
- Use a dedicated Jira project for security findings to keep them organized and apply project-level automation.
- Set up Jira automation rules to notify developers when tickets are assigned.
- Combine with SLA policies so that Jira due dates align with your remediation deadlines.
- Use bulk creation after scans to quickly triage and assign new critical and high findings.
- Close tickets in Jira once the fix is verified by a subsequent scan; CodeStax does not auto-close tickets.
- Limit API token scope to the specific project for least-privilege access.