Exporting Findings

Security for Jira allows users to export CSV files containing findings in the projects for which they have administration privileges or, if they have been granted explicit app access, viewing privileges. This can be done when viewing a project’s Security Analysis by clicking the Export Project dropdown at the top:

There are three options, all of which are in CSV format:

• A Findings export contains information about all findings, including both reviewed and un-reviewed findings

• A Reviewed False Positives export contains reviewed false positives, including who reviewed them and when they were reviewed. Reviewed false positives are scoped per-project and apply to all future and past findings in the project that match exactly.

• A Scanned attachment information export contains information about scanned files attached to issues. See Scanning files attached to issues for more information.

You can also export findings for a particular project, or for all projects you can administer, using the REST API.

Exporting, both from the Security Analysis page and from the REST API, is an audited event.

Redacting findings in exported reports

If you want to keep the full text of findings from appearing in exported reports, you can disable the Include full finding text in exported reports setting in the plugin settings page:

Disabling this option will remove the Text column from CSV exports, and will add two URL columns:

• A link to the issue (focusing on the comment if the finding is in a comment)

• A link to the Security Analysis of the issue

Deduplicate findings in exports

If you want to show every finding occurrence in your export reports, you can disable the Deduplicate findings in exports setting. Otherwise, findings will be presented once for every issue, comment, or attachment they’re discovered in, even if they are discovered more than once in the history of that page, blog post, or attachment. This behavior presents an export similar to the layout of the Security Analysis page.