Nexus IQ for Jira Plugin

IQ Server | Reading time: 5 minutes

Is this article helpful?

Easily automate Jira issues for policy violations

Jira is an issue-tracking tool that’s mainly used by software developers to track, organize, and prioritize bugs, new features, and improvements for their software applications. Jira is extremely popular (according to Atlassian, it’s used by over 125,000 teams around the globe), and is a logical integration point in the Nexus Platform to help teams build security fixes into their software development lifecycle (SDLC).

Our IQ Jira plugin puts remediation right in the development workflow—letting you easily get violations in front of the people who can fix them. The IQ Jira plugin lets you automatically create Jira tickets for violations found in your applications, within the Jira projects associated with those applications. This provides an instinctive way to communicate policy violations for development teams that are already using Jira for feature development and bug reporting.

Ensuring Quality

Surviving in the digital economy means developing your applications faster, while still ensuring quality and security. Automation is a major key that will help you achieve these goals.

According to the Stackify article, “What is DevSecOps? How to Automate Security Testing,” DevOps is meant to provide development teams more ownership in deploying and monitoring their applications. One way to accomplish a DevOps development lifecycle is through automation—which helps teams move faster and ship higher-quality products.

Adding security to this same automation is at the heart of the DevSecOps movement. Companies want to create strong security policies and standards without slowing down the development process. The Nexus IQ Jira Plugin is the next generation of Jira integration for the IQ Server that lets you automate the creation of Jira tickets for policy violations, allowing your development teams to focus on application security. The plugin uses an IQ Server webhook violation event to trigger the creation of tickets whenever a new policy violation occurs:

example Jira ticket caused by a policy violation

In the article by Mathieu Buisson, “Where to start your automation efforts? An analogy for IT infrastructure folks,” he asserts that Lean software development (and all the stuff that came from it, like Agile) originated from applying principles of Lean manufacturing (pioneered by Toyota) to the software industry. An easy way to visualize this is by comparing your company’s software delivery pipeline with that of a manufacturing assembly line. Automating Jira issues for policy violations is a pivotal step in the pipeline because it lets you automatically transport a continuous flow of tickets for policy violations directly to the developers who can fix them, and secure your applications.

“Automating the creation of workable tickets that can be prioritized, developed, and resolved in a workflow that matches the way development teams already work greatly reduces overhead experienced by delivery teams when it comes to addressing security and licensing issues.”

- A.J. Brown, Nexus Integrations Product Owner

This Jira Plugin significantly improves the usefulness of the legacy IQ Server Jira Integration by focusing on creating Jira issues at the right place and right time. When deciding how to improve the Jira and Lifecycle integration, the Nexus Integrations team focused on the following objectives — (1) creating the ticket in the right application, and (2) making the tickets more workable by automatically creating a ticket per component.

Workflow Example

Integrating your software development pipeline with the IQ Jira plugin lets your team detect issues earlier and remediate faster, which means they will deliver a secure product, and management will see improved return on investment (ROI) for their IQ Server instance.

Looking at these main benefits, we’ll walk through an example workflow that shows how you can easily implement the IQ Jira plugin in your organization to take advantage of remediating faster and delivering secure applications:

Figure 1: Graphic of an example workflow with eight stages. The steps are Install, Configure, Kick off a Build, Violations Found, Ticket Created, Investigate Fixes, Upgrade & Test, and Move to Done. Initial image by Freepik.

This example workflow shows how easy it is to automate policy violation fixes into your development cycle. This ensures that your applications are secure, without interrupting how your work is done.

Get started - download the plugin today

Using the combination of webhooks and a native plug, the IQ Server only needs to understand the IQ server domain, and then the IQ Jira plugin is left to understand the Jira domain. You can be up-and-running with the IQ Jira plugin in just a few simple steps:

  1. Install the plugin from the Atlassian Marketplace (IQ Jira Plugin).
  2. After installation, navigate to your project in Jira, select the Project Settings, and then click on the Nexus IQ menu option. Jira plugin configuration screen
  3. Your Jira project can be mapped to one or more of your IQ Server organizations and/or applications. When a new policy violation occurs, a new Jira issue gets created. Configure your Jira project to IQ mapping and then specify ticket creation settings. Jira project settings screen for IQ Server mapping
  4. IQ Server tells Jira when policy violations occur through webhooks. In the IQ Server, you need to create a new webhook and then configure your policies to send violations through that webhook. IQ Server webhook configuration screen

That’s it! Now that you’ve configured your policy to be sent through the webhook when a violation occurs against the policy, it will be included in the event that’s sent to Jira. The webhook event tells Jira that it needs to create a new ticket, or update an existing ticket, for the application and project that you mapped to.

Talk to Us

Have more questions or comments? Learn more at, join us in the Sonatype Community, and view our course catalog at

And visit for all things Sonatype.