Scanning Comments

By default, Security for Confluence scans comments:

• Top-level comments (also known as footer comments) on pages and blog posts

• Inline comments on pages and blog posts

• Comments on attachments

If you’ve upgraded Security for Confluence from a version prior to 3.2.0 you will need to enable comment scanning by following the steps below.

Enabling and disabling comment scanning

You can enable or disable comment scanning by navigating to the settings page and toggling the “Scan Comments” setting.

Changing the “Scan Comments” setting will cause existing scans to be considered to have outdated settings, which can be resolved by re-scanning.

Removing secrets in comments

Confluence keeps previous versions of comments, and even though they are not viewable in the UI, they are still accessible via the REST API. Additionally, unlike pages, blog posts, and attachments, Confluence does not let you delete individual versions of comments. Thus, the only way to fully remove a secret in a comment is to delete the entire comment.

This can be confusing for scan findings in historical comment versions in particular, because the only link Security for Confluence can provide is to the latest version of the comment. Accordingly, in the Security Analysis, findings for historical versions of comments have an extra informational tooltip stating that findings in historical comment versions can only be removed by deleting the entire comment.