Security in Jira GitHub Integration Full Sync

XMLWordPrintable

    • 23
    • Minor
    • 1

      Issue Summary

      Deleted GitHub code scanning, security, and dependabot alerts are still shown in Jira as Security Vulnerabilities.

      Customers have reported that disconnecting and reconnecting security containers within projects do not correct this discrepancy.

      This is a known issue because GitHub does not send us webhooks for withdrawn and deleted alerts.

      When GitHub for Jira syncs security vulnerabilities, it only updates ones that it finds in GitHub and leaves orphaned vulnerabilities untouched.

      We propose cleaning up vulnerabilities via a "full sync" mechanism.

      Steps to Reproduce

      1. Integrate GitHub for Jira with Jira
      2. Sync repositories with alerts
      3. Delete a GitHub alert using the API
        1. https://docs.github.com/en/rest/code-scanning/code-scanning?apiVersion=2022-11-28#delete-a-code-scanning-analysis-from-a-repository
      4. Find the alert in the Security page

      Expected Results

      1. The vulnerability is not found

      Actual Results

      1. The vulnerability remains open

      Workaround

      Uninstall the GitHub for Jira app and reinstall and re-integrate. This is not tenable for all customers as it removes development data as well for all projects within a site.

        1. image-2025-05-26-09-32-27-164.png
          88 kB
          Josh Kay

            Assignee:
            BorisGvozdev
            Reporter:
            Zhe Wang (Zee)
            Votes:
            11 Vote for this issue
            Watchers:
            32 Start watching this issue

              Created:
              Updated:
              Resolved: