Notify results
Jira
Multi-project ticket synchronization
6 min
background the teams who need to rotate the secret donβt have access to trufflehog or donβt have access to the jira project trufflehog is creating the ticket in trufflehog detects a secret β creates a jira ticket via integration the integration is configured to create tickets in a specific jira project (e g security inc) the real work needs to happen in other teams' jira projects (e g eng, devops, infra) what is needed the master ticket in security inc (so trufflehog can continue to sync updates, status, findings, metadata, enrichment, etc ) child or linked tickets in the correct downstream jira projects where remediation will occur recommended solution 1οΈβ£ use trufflehog integration as master ticket creator only continue to have trufflehog create the initial ticket in the security inc jira project this ticket becomes your βcanonical recordβ for the secret finding trufflehog can continue to update this master ticket if additional information or updates come in 2οΈβ£ use automation to spawn sub tickets in target projects use jira automation rules (native jira cloud feature) or webhook triggers to automatically create sub tasks or linked issues in the appropriate jira projects when a new master ticket is created you can design automation rules like when issue created in security inc project with label live secret β create linked issue in eng project you can pass fields like summary, description, affected repository, file path, secret type, etc into the new linked ticket set up a "blocked by / blocks / relates to" link between the master and child tickets 3οΈβ£ maintain sync from trufflehog to master ticket only let trufflehog continue syncing updates into the master ticket do not try to sync trufflehog directly into the downstream tickets β that becomes extremely fragile the downstream teams work off their tickets, and as they update the status, you can use jira automation to roll status back up to the master ticket if needed (e g all sub tasks resolved β mark master as resolved but do not close it trufflehog will close the master ticket once we see its no longer live) 4οΈβ£ (optional) use custom jira fields for tracking add fields like downstream ticket links owning team remediation target date this helps reporting and tracking for security teams without polluting the downstream project workflows