SaaS

Query Atlassian Cloud with cnspec

Query Atlassian Cloud Jira, Confluence, Admin, and SCIM with cnspec.

Query and explore your Atlassian Cloud resources with cnspec, including Jira projects and issues, Confluence spaces, Admin organization settings, and SCIM user provisioning. Use the Atlassian provider inside your own policies to enforce checks against Jira, Confluence, or directory data.

If you're new to cnspec, start with the Quickstart. For an overview of every SaaS service cnspec can scan, see the SaaS scanning overview.

Prerequisites

To query Atlassian Cloud with cnspec, you must have:

Authenticate

The Atlassian provider supports four products, each with its own authentication. You only need to configure the products you want to query.

Jira

Provide your Atlassian site host, email address, and API token:

cnspec shell atlassian jira --host https://example.atlassian.net --user your@email.com --user-token YOUR_USER_TOKEN
FlagValue
--hostYour Atlassian site URL (such as https://yoursite.atlassian.net)
--userThe email address for your Atlassian account
--user-tokenYour Atlassian API token

You can also set these environment variables instead of passing flags:

  • ATLASSIAN_HOST
  • ATLASSIAN_USER
  • ATLASSIAN_USER_TOKEN

Confluence

Confluence uses the same authentication as Jira:

cnspec shell atlassian confluence --host https://example.atlassian.net --user your@email.com --user-token YOUR_USER_TOKEN

Atlassian Admin

To query Atlassian Admin (organization-level settings), you need an admin API token. To learn how to create one, read Manage an organization with the admin APIs in the Atlassian documentation.

cnspec shell atlassian admin --admin-token YOUR_ADMIN_TOKEN

You can also set the ATLASSIAN_ADMIN_TOKEN environment variable.

SCIM

To query SCIM (user provisioning through an identity provider), provide your directory ID and SCIM token:

cnspec shell atlassian scim DIRECTORY_ID --scim-token YOUR_SCIM_TOKEN

Scan with the Mondoo Atlassian Security policy

Mondoo maintains an out of the box Atlassian Security policy that detects high and critical misconfigurations across Atlassian Cloud. Checks are organized by connection type:

  • Atlassian Admin: organization-wide controls including IP allowlists, verified domains, dormant managed users, and stale API tokens.
  • Atlassian Jira: project permission schemes that grant access to unauthenticated callers.
  • Atlassian Confluence: spaces that expose content to anonymous or unlicensed users.

Mondoo Platform users: Enable the policy in your space. In the Mondoo App, go to Findings > Policies, search for "Atlassian", and add the policy. All future scans of your Atlassian environment automatically evaluate against it. To learn more, read Manage policies in Mondoo Platform.

Open source users: Pass the policy bundle URL directly to cnspec. Each connection type evaluates the checks that apply to it, so run the scan against the products you want to assess:

cnspec scan atlassian admin --admin-token YOUR_ADMIN_TOKEN \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-atlassian-security.mql.yaml

cnspec scan atlassian jira --host https://example.atlassian.net --user your@email.com --user-token YOUR_USER_TOKEN \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-atlassian-security.mql.yaml

You can also write your own policy against the Atlassian resources cnspec exposes to meet your specific requirements.

Explore your Atlassian environment

Jira

List all projects:

cnspec> atlassian.jira.projects
atlassian.jira.projects: [
  0: atlassian.jira.project name="Engineering"
  1: atlassian.jira.project name="Support"
  ...
]

Retrieve project details:

cnspec> atlassian.jira.projects[0] { name key archived private }

List users and their account types:

cnspec> atlassian.jira.users { name type }

List issues with their status:

cnspec> atlassian.jira.issues { id status project typeName }

List groups:

cnspec> atlassian.jira.groups

Retrieve server information:

cnspec> atlassian.jira.serverInfo { baseUrl serverTitle deploymentType }

Confluence

List users:

cnspec> atlassian.confluence.users

Admin

Retrieve organization details:

cnspec> atlassian.admin.organization { name type }

List domains:

cnspec> atlassian.admin.organization.domains { name type }

List managed users:

cnspec> atlassian.admin.organization.managedUsers { name email status lastActive }

List organization policies:

cnspec> atlassian.admin.organization.policies { name policyType status }

SCIM

List SCIM-provisioned users:

cnspec> atlassian.scim.users { name displayName title organization }

List SCIM groups:

cnspec> atlassian.scim.groups

Learn more

On this page