Configuration

Nullify will create a new issue in Jira for each vulnerability it finds above the specified threshold. You will need to set your Jira Project Key and Issue Type in the .nullify.yml file.

The Project Key (project_key) is the key of the project in Jira. This is the same as the project key in the URL when you are in the project.

The Issue Type (issue_type) is the type of the issue that will be created by Nullify. The default value is "Task". You can find the possible issue types in the project settings -> Issues -> Types. (The URL should be of the form https://your-team.atlassian.net/plugins/servlet/project-config/YOUR-PROJECT-KEY/issuetypes)

You may choose to create a separate issue type for Nullify's findings. This is useful if you want to keep track of tickets opened by Nullify.

The following is a sample minimal .nullify.yml file for Jira integration.

integrations:
  jira:
    project_key: SCRUM
    issue_type: Task

Optional Configuration

Severity and Priority Threshold

By default, Nullify will create tickets with the same severity and priority thresholds as those reported in the dashboard. However, you can also set severity and priority thresholds specific to the Jira integration.

For example, you might want to include on the issues dashboard all vulnerabilities of severity MEDIUM or higher, but only create a ticket in Jira for vulnerabilities that are CRITICAL. Similarly, you might want to include on the issues dashboard all vulnerabilities of priority IMPORTANT or higher, but only create a ticket in Jira for vulnerabilities that are URGENT.

Example:

severity_threshold: MEDIUM
priority_threshold: IMPORTANT
integrations:
  jira:
    project_key: SCRUM
    issue_type: Task
    severity_threshold: CRITICAL
    priority_threshold: URGENT

On Fix

Nullify will close the ticket in Jira when the vulnerability is fixed. By default, the status of the ticket will transition to the last column (right-most column) on your board. If you want to change the status to something else, you can do so by setting the on_fix_transition field to the status you want. This is case insensitive. The transition status must already be existing in the project.

Example:

integrations:
  jira:
    project_key: SCRUM
    issue_type: Task
    on_fix_transition: To Be Reviewed

Disable

You can set disabled to true if you wish to disable Jira ticket creation.

The typical use case for this is if you have Jira integration set up in your global configuration file but want to disable it for a specific repository, such as if that repository is an internal tool/script not used in production.

integrations:
  jira:
    disabled: true

Another use case would be to disable automatic ticket creation but still have the project key and issue type defined for when you want to manually create tickets via the dashboard.