Skip to main content

Overview

ZeroPath integrates with Jira Cloud to push security findings as Jira issues and sync status changes back. When a Jira issue is resolved, the corresponding ZeroPath finding is automatically marked as resolved.

Setup

Both methods register a webhook in your Jira instance for bidirectional sync. OAuth connections automatically subscribe to all supported events. For API token connections, you will be prompted to manually create the webhook.

Webhook Events

The ZeroPath webhook uses the following Jira events:
EventRequiredPurpose
jira:issue_updatedYesSyncs issue status changes back to ZeroPath
comment_createdNoSyncs ticket comments for smarter triage
comment_updatedNoKeeps synced comments up to date
The comment events are optional but recommended. When enabled, ZeroPath uses ticket comments to intelligently classify closed tickets as Resolved, False Positive, or Accepted Risk instead of always defaulting to Resolved.

Manual Issue Export

From any finding in the ZeroPath dashboard:
  1. Click “Export to Jira” on the issue detail view.
  2. Select a Jira project, issue type (Bug, Story, Task, etc.), and optionally an epic and assignee. Epics are available for all issue types, not just Tasks.
  3. ZeroPath creates the Jira issue with full vulnerability details — title, description, affected file, severity, CVSS score, CWEs, code snippet, and patch link if available. For secrets findings, the code snippet is automatically redacted so that cleartext secret values are never written into Jira tickets.
If the selected issue type does not support a parent link (for example, Epics cannot have a parent in Jira’s hierarchy), ZeroPath automatically retries without the epic link so the issue is still created successfully. The Jira issue key is linked to the ZeroPath finding for bidirectional tracking.

Bulk Export

You can export multiple findings to Jira at once:
  1. Select the findings you want to export from the issues list.
  2. Choose “Export to Jira” from the bulk actions menu.
  3. Select a Jira project, issue type, and optionally an epic and assignee. You can select “None” to explicitly clear the epic selection.
  4. If a Jira template is configured, you can toggle “Use Jira Template” to apply it to all exported issues.
  5. ZeroPath creates Jira issues for all selected findings in batches. Code snippets for secrets findings are automatically redacted in all created tickets.
Findings that have already been exported to Jira are automatically skipped. After the export completes, you will see a summary showing how many issues were exported, skipped, or failed.

Automatic Ticketing

Configure automatic issue creation for new findings:
  1. Go to Settings → Integrations, select Jira from the sidebar, and open Auto-Ticketing.
  2. Set a score threshold — only findings above this score create Jira tickets.
  3. Choose which scan types trigger tickets (Full Scan, PR Scan, SCA, etc.).
  4. Select the Jira project and issue type.
  5. Optionally select an epic to group auto-created tickets under. If a previously configured epic is no longer available in Jira, a warning is displayed so you can select a new one or clear the selection.
  6. Optionally configure auto-assignment, custom templates, and scope (all repos, specific repos, or repos matching specific tags).
Code snippets for secrets findings are automatically redacted in all auto-created tickets, so cleartext secret values are never written into Jira.

SLA Due Dates

Enable Set due date from SLA to stamp each created ticket with the finding’s remediation deadline as the Jira due date — the earliest breach date across every SLA policy that covers the issue. This applies to both auto-created and manually exported tickets. If no SLA policy covers the finding, no due date is set.
The due date requires the selected issue type to expose a Due date field on its create screen. If it does not, ZeroPath warns you when saving the configuration and still creates tickets (without a due date). If Jira later rejects the due date for an individual ticket, ZeroPath retries without it so the ticket is still created.

Custom Templates

Auto-ticketing supports customizable title and description templates with variables:
  • {{severity}}, {{issueTitle}}, {{repositoryName}}, {{affectedFile}}, {{vulnClass}}, and more.
  • Custom Jira fields can be mapped to ZeroPath finding data or static values.

Bidirectional Sync

When a Jira issue’s status changes to Done, Resolved, Closed, or Completed, ZeroPath automatically:
  • Analyzes ticket comments to determine the appropriate status — Resolved, False Positive, or Accepted Risk
  • If no comments are present or comment events are not enabled, the finding defaults to Resolved
  • If comments are present but the intent cannot be determined with confidence, the status change is skipped rather than defaulting to Resolved, preventing incorrect triage
  • Records who made the change and when
  • Logs the state transition in the finding’s audit trail
ZeroPath selects the correct Jira workflow transition based on the target status. When marking a finding as Resolved, ZeroPath picks a completion transition (such as “Done”) and avoids cancellation-style transitions like “Won’t Do”. When marking a finding as False Positive or Accepted Risk, ZeroPath prefers a cancellation-style transition if one is available. This ensures your Jira workflow states accurately reflect the triage decision. When you change the status of multiple findings at once (for example, marking many issues as false positive), ZeroPath syncs each update to Jira with controlled concurrency to stay within Jira Cloud rate limits. If an individual ticket update fails, the remaining updates continue — partial failures are logged without blocking the bulk action. This sync is powered by a webhook registered in your Jira instance during setup.
Jira Cloud webhooks expire after 30 days. If sync stops working, reconnect the integration from Settings → Integrations to refresh the webhook. When you reconnect, ZeroPath automatically removes any stale webhooks with outdated secrets before creating a new one.

Confluence Access

The Jira integration also provides access to Confluence, since both products share the same Atlassian OAuth token. When Confluence is enabled, the AI AppSec Assistant can search and read your Confluence pages for security documentation, architecture context, and runbooks.

Enabling Confluence

  1. Connect Jira using either the OAuth or API Token method described above.
  2. Once Jira is connected, a Confluence option appears in the integrations page. You can enable it directly from the Add Integration dialog with a single click — no additional authentication is required.
  3. Alternatively, select Confluence from the integrations sidebar and toggle Confluence Access on.
No additional authentication is required — Confluence reuses your existing Atlassian OAuth token.

Disabling Confluence

To disable Confluence access, select Confluence from the integrations sidebar and toggle Confluence Access off. This does not affect your Jira integration.

Troubleshooting

Ensure the integration is connected in Settings → Integrations.
Check if the Jira webhook has expired (30-day limit). Reconnect the integration to refresh it. Also verify the Jira issue key matches a ZeroPath finding (the link is created during export).
Check that the selected project and issue type exist in your Jira instance. Ensure required Jira fields are configured in the auto-ticketing settings.