Developer
News and Updates
Get Support
Sign in
Get Support
Sign in
DOCUMENTATION
Cloud
Data Center
Resources
Sign in
Sign in
DOCUMENTATION
Cloud
Data Center
Resources
Sign in
  • Backlog
  • Board
  • Epic
  • Issue
  • Sprint
  • Development Information
  • Feature Flags
  • Deployments
  • Builds
  • Security Information
  • Operations
  • DevOps Components
Cloud
Jira Software Cloud / Reference / REST API

Security Information

Postman Collection
OpenAPI

Send security information to Jira Software and enable your teams to turn unplanned vulnerabilities into planned and tracked work.

Security is everyone's responsibility, and the security feature in Jira lets you triage and track relevant vulnerabilities as a team. Discuss and prioritise issues, minimise errors and duplication, and plan security work to complete in your sprints.

APIs related to integrating Security information with Jira Software are available to Atlassian Connect apps. To use these APIs you must have a security info provider module in your Connect app's descriptor. See https://developer.atlassian.com/cloud/jira/software/modules/security-information/.

These APIs are available to Forge apps with the devops:securityInfoProvider module in the Forge app's manifest. See https://developer.atlassian.com/platform/forge/manifest-reference/modules/jira-software-security-info/.

POST

Submit Security Workspaces to link

Insert Security Workspace IDs to establish a relationship between them and the Jira site the app is installed on. If a relationship between the workspace ID and Jira already exists then the workspace ID will be ignored and Jira will process the rest of the entries.

Data Security Policy: Not exempt from app access rules
Scopes
write:security:jira

Connect app scope requiredWRITE

Request

Header parameters

Authorization

string

Required

Request bodyapplication/json

Security Workspace IDs to submit.

workspaceIds

array<string>

Required

Responses

Submission accepted. Each submitted Security Workspace ID will be linked to Jira.

POST/rest/security/1.0/linkedWorkspaces/bulk
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 // This sample uses Atlassian Forge // https://developer.atlassian.com/platform/forge/ import { requestJira } from "@forge/bridge"; var bodyData = `{ "workspaceIds": [ "111-222-333", "444-555-666" ] }`; const response = await requestJira(`/rest/security/1.0/linkedWorkspaces/bulk`, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: bodyData }); console.log(`Response: ${response.status} ${response.statusText}`); console.log(await response.text());
DEL

Delete linked Security Workspaces

Bulk delete all linked Security Workspaces that match the given request.

e.g. DELETE /bulk?workspaceIds=111-222-333,444-555-666

Data Security Policy: Not exempt from app access rules
Scopes
delete:security:jira

Connect app scope requiredDELETE

Request

Header parameters

Authorization

string

Required

Responses

Delete accepted. Workspaces and related data will eventually be removed from Jira.

DEL/rest/security/1.0/linkedWorkspaces/bulk
1 2 3 4 5 6 7 8 9 10 // This sample uses Atlassian Forge // https://developer.atlassian.com/platform/forge/ import { requestJira } from "@forge/bridge"; const response = await requestJira(`/rest/security/1.0/linkedWorkspaces/bulk`, { method: 'DELETE' }); console.log(`Response: ${response.status} ${response.statusText}`); console.log(await response.text());
GET

Get linked Security Workspaces

Retrieve all Security Workspaces linked with the Jira site. The result will be what is currently stored, ignoring any pending updates or deletes.

Data Security Policy: Not exempt from app access rules
Scopes
read:security:jira

Connect app scope requiredREAD

Request

Header parameters

Authorization

string

Required

Responses

A list of all stored workspace IDs.

application/json

SecurityWorkspaceIds

The payload of linked Security Workspace IDs.

GET/rest/security/1.0/linkedWorkspaces
1 2 3 4 5 6 7 8 9 10 11 12 // This sample uses Atlassian Forge // https://developer.atlassian.com/platform/forge/ import { requestJira } from "@forge/bridge"; const response = await requestJira(`/rest/security/1.0/linkedWorkspaces`, { headers: { 'Accept': 'application/json' } }); console.log(`Response: ${response.status} ${response.statusText}`); console.log(await response.json());
200Response
1 2 3 4 5 6 { "workspaceIds": [ "111-222-333", "444-555-666" ] }
GET

Get a linked Security Workspace by ID

Retrieve a specific Security Workspace linked to the Jira site for the given workspace ID. The result will be what is currently stored, ignoring any pending updates or deletes.

Data Security Policy: Not exempt from app access rules
Scopes
read:security:jira

Connect app scope requiredREAD

Request

Path parameters

workspaceId

string

Required

Header parameters

Authorization

string

Required

Responses

The Security Workspace information stored for the given ID.

application/json

SecurityWorkspaceResponse

The Security Workspace information stored for the given ID.

GET/rest/security/1.0/linkedWorkspaces/{workspaceId}
1 2 3 4 5 6 7 8 9 10 11 12 // This sample uses Atlassian Forge // https://developer.atlassian.com/platform/forge/ import { requestJira } from "@forge/bridge"; const response = await requestJira(`/rest/security/1.0/linkedWorkspaces/{workspaceId}`, { headers: { 'Accept': 'application/json' } }); console.log(`Response: ${response.status} ${response.statusText}`); console.log(await response.json());
200Response
1 2 3 4 { "workspaceId": "111-222-333", "updatedAt": "2020-01-17T09:30:00.000Z" }
POST

Submit Vulnerability data

Update / Insert Vulnerability data.

Vulnerabilities are identified by their ID, any existing Vulnerability data with the same ID will be replaced if it exists and the updateSequenceNumber of the existing data is less than the incoming data.

Submissions are performed asynchronously. Most updates are available within a short period of time but may take some time during peak load and/or maintenance times. The GET vulnerability endpoint can be used to confirm that data has been stored successfully (if needed).

In the case of multiple Vulnerabilities being submitted in one request, each is validated individually prior to submission. Details of Vulnerabilities that failed submission (if any) are available in the response object.

A maximum of 1000 vulnerabilities can be submitted in one request.

Data Security Policy: Not exempt from app access rules
Scopes
write:security:jira

Connect app scope requiredWRITE

Request

Header parameters

Authorization

string

Required

Request bodyapplication/json

Vulnerability data to submit.

operationType

string

properties

Properties

vulnerabilities

array<Vulnerability details>

Required
providerMetadata

ProviderMetadata

Responses

Submission accepted. Each Vulnerability submitted in a valid format will eventually be available in Jira.

Details of any Vulnerabilities that were submitted but failed submission (due to data format problems, etc.) are available in the response object.

application/json

SubmitVulnerabilitiesResponse

The result of a successful submitVulnerabilities request.

POST/rest/security/1.0/bulk
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 // This sample uses Atlassian Forge // https://developer.atlassian.com/platform/forge/ import { requestJira } from "@forge/bridge"; var bodyData = `{ "operationType": "SCAN", "properties": { "accountId": "account-234", "projectId": "project-123" }, "vulnerabilities": [ { "schemaVersion": "1.0", "id": "111-222-333", "updateSequenceNumber": 1523494301448, "containerId": "111-222-333", "displayName": "curl/libcurl3 - Buffer Override", "description": "## Overview\n\n\nAffected versions of this package are vulnerable to MeltLeak", "url": "https://example.com/project/CWE-123/summary", "type": "sca", "introducedDate": "2018-01-20T23:27:25.000Z", "lastUpdated": "2018-01-20T23:27:25.000Z", "severity": { "level": "critical" }, "identifiers": [ { "displayName": "CWE-123", "url": "https://cwe.mitre.org/data/definitions/123.html" } ], "status": "open", "additionalInfo": { "content": "More information on the vulnerability, as a string", "url": "https://example.com/project/CWE-123/additionalInfo" }, "addAssociations": [ { "associationType": "issueIdOrKeys", "values": [ "PROJ-1234" ] } ], "removeAssociations": [ { "associationType": "issueIdOrKeys", "values": [ "PROJ-1234" ] } ], "associationsLastUpdated": "2018-01-20T23:27:25.000Z", "associationsUpdateSequenceNumber": 1523494301448 } ], "providerMetadata": { "product": "Atlassian Security Platform 2.1.0" } }`; const response = await requestJira(`/rest/security/1.0/bulk`, { method: 'POST', headers: { 'Accept': 'application/json', 'Content-Type': 'application/json' }, body: bodyData }); console.log(`Response: ${response.status} ${response.statusText}`); console.log(await response.json());
202Response
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 { "acceptedVulnerabilities": [ "111-222-333", "444-555-666" ], "failedVulnerabilities": {}, "unknownAssociations": [ { "associationType": "issueIdOrKeys", "values": [ "PROJ-1234" ] } ] }
DEL

Delete Vulnerabilities by Property

Bulk delete all Vulnerabilities that match the given request.

One or more query params must be supplied to specify Properties to delete by. If more than one Property is provided, data will be deleted that matches ALL of the Properties (e.g. treated as an AND). Read the POST bulk endpoint documentation for more details.

e.g. DELETE /bulkByProperties?accountId=account-123&createdBy=user-456

Deletion is performed asynchronously. The GET vulnerability endpoint can be used to confirm that data has been deleted successfully (if needed).

Data Security Policy: Not exempt from app access rules
Scopes
delete:security:jira

Connect app scope requiredDELETE

Request

Header parameters

Authorization

string

Required

Responses

Delete accepted. Data will eventually be removed from Jira.

DEL/rest/security/1.0/bulkByProperties
1 2 3 4 5 6 7 8 9 10 // This sample uses Atlassian Forge // https://developer.atlassian.com/platform/forge/ import { requestJira } from "@forge/bridge"; const response = await requestJira(`/rest/security/1.0/bulkByProperties`, { method: 'DELETE' }); console.log(`Response: ${response.status} ${response.statusText}`); console.log(await response.text());
GET

Get a Vulnerability by ID

Retrieve the currently stored Vulnerability data for the given ID. The result will be what is currently stored, ignoring any pending updates or deletes.

Data Security Policy: Not exempt from app access rules
Scopes
read:security:jira

Connect app scope requiredREAD

Request

Path parameters

vulnerabilityId

string

Required

Header parameters

Authorization

string

Required

Responses

The Vulnerability data currently stored for the given ID.

application/json

Vulnerability details

Data related to a specific vulnerability in a specific workspace that the vulnerability is present in. Must specify at least one association.

GET/rest/security/1.0/vulnerability/{vulnerabilityId}
1 2 3 4 5 6 7 8 9 10 11 12 // This sample uses Atlassian Forge // https://developer.atlassian.com/platform/forge/ import { requestJira } from "@forge/bridge"; const response = await requestJira(`/rest/security/1.0/vulnerability/{vulnerabilityId}`, { headers: { 'Accept': 'application/json' } }); console.log(`Response: ${response.status} ${response.statusText}`); console.log(await response.json());
200Response
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 { "schemaVersion": "1.0", "id": "111-222-333", "updateSequenceNumber": 1523494301448, "containerId": "111-222-333", "displayName": "curl/libcurl3 - Buffer Override", "description": "## Overview\n\n\nAffected versions of this package are vulnerable to MeltLeak", "url": "https://example.com/project/CWE-123/summary", "type": "sca", "introducedDate": "2018-01-20T23:27:25.000Z", "lastUpdated": "2018-01-20T23:27:25.000Z", "severity": { "level": "critical" }, "identifiers": [ { "displayName": "CWE-123", "url": "https://cwe.mitre.org/data/definitions/123.html" } ], "status": "open", "additionalInfo": { "content": "More information on the vulnerability, as a string", "url": "https://example.com/project/CWE-123/additionalInfo" }, "addAssociations": [ { "associationType": "issueIdOrKeys", "values": [ "PROJ-1234" ] } ], "removeAssociations": [ { "associationType": "issueIdOrKeys", "values": [ "PROJ-1234" ] } ], "associationsLastUpdated": "2018-01-20T23:27:25.000Z", "associationsUpdateSequenceNumber": 1523494301448 }
DEL

Delete a Vulnerability by ID

Delete the Vulnerability data currently stored for the given ID.

Deletion is performed asynchronously. The GET vulnerability endpoint can be used to confirm that data has been deleted successfully (if needed).

Data Security Policy: Not exempt from app access rules
Scopes
delete:security:jira

Connect app scope requiredDELETE

Request

Path parameters

vulnerabilityId

string

Required

Header parameters

Authorization

string

Required

Responses

Delete has been accepted. If the data exists, it will eventually be removed from Jira.

DEL/rest/security/1.0/vulnerability/{vulnerabilityId}
1 2 3 4 5 6 7 8 9 10 // This sample uses Atlassian Forge // https://developer.atlassian.com/platform/forge/ import { requestJira } from "@forge/bridge"; const response = await requestJira(`/rest/security/1.0/vulnerability/{vulnerabilityId}`, { method: 'DELETE' }); console.log(`Response: ${response.status} ${response.statusText}`); console.log(await response.text());

Rate this page: