What content can Security for Jira scan?
Currently, Security for Jira scans issue descriptions.
Note that comments, attachments, issue summaries (titles), and custom fields are not yet scanned.
Permissions
Due to Jira Cloud’s permissions model, Security for Jira can only scan pages which it has permission to read. By default, Security for Jira has read permissions for all projects.
This means:
If Security for Jira’s read permissions for a project are explicitly removed, that project will no longer be able to be scanned.
If an issue’s viewing is restricted such that Security for Jira cannot view it, it will not be scanned when a project Scan is run, nor will it be selectable in the Scan Report.
If project scan has findings, but then the issue is restricted, the Security for Jira scan report will not be able to display the finding. Security for Jira does not store any potentially sensitive content.