Secret Sentinel

Secret Sentinel automatically detects and removes leaked passwords, API keys, and tokens in Confluence and Jira and instantly creates security incidents in Jira to ensure credentials are rotated fast.

Comment

Inspiration

Inspiration

Most security incidents do not start with attackers. They start with accidental exposure.

Secrets are frequently shared in internal documentation or work items by software teams during incident response, onboarding, or debugging. Once exposed, these secrets are hard to fully contain.

Secret Sentinel was built to address this exact problem at the source.

What it does

What it does

Secret Sentinel continuously monitors content across Atlassian products and automatically remediates exposed secrets.

Supported content:

  • Confluence pages, blog posts, and comments
  • Jira work item titles, descriptions, and comments

When a secret is detected:

  • the value is redacted immediately
  • the secret itself is never persisted
  • optional Jira security work items are created to track remediation

The system operates automatically and requires no user intervention.

This allows software teams to stay focused on delivery while security enforcement happens automatically in the background.

Why it matters

Why it matters

Manual security processes do not scale.

Secret Sentinel reduces risk by:

  • minimizing secret exposure time
  • preventing propagation across systems
  • integrating remediation directly into existing Jira workflows

This shifts security from a reactive process to a built-in platform capability.

How we built it

How we built it

Secret Sentinel is implemented entirely on Atlassian Forge and runs within Atlassian Cloud boundaries.

Architecture highlights:

  • Event-driven automation using Forge triggers for Confluence and Jira
  • A unified secret detection engine reused across all content types
  • Format-safe redaction for both Confluence Storage and Jira ADF
  • Configurable Jira escalation with project, work item type, priority, assignee, and severity controls
  • Secure configuration storage using Forge KVS
  • Intentionally minimal dependency surface to reduce attack vectors:
    • Backend: @forge/api, @forge/events, @forge/kvs
    • Frontend: @forge/bridge, @forge/react, and react
  • No external APIs, no third-party processing, and no data leaving Atlassian Cloud

Challenges we faced

Challenges we faced

  • Preserving document integrity while modifying rich content formats
  • Ensuring idempotent processing and avoiding update loops
  • Designing safe redaction that never leaks original secret values
  • Maintaining strict separation of configuration scopes between products
  • Delivering a usable admin experience within Forge UI constraints

Accomplishments that we're proud of

  • End to end automated remediation across Confluence and Jira
  • Secure handling of sensitive data with zero persistence of secrets
  • Platform-native cross-product workflows aligned with Atlassian best practices
  • Marketplace-ready architecture built fully on Forge
  • Delivered as a complete solo project within the hackathon timeframe

What we learned

  • Preventative security tooling is more effective than reactive audits
  • Platform-native solutions gain faster trust and adoption
  • Forge enables serious security automation when used correctly
  • Security tools live or die by clarity of configuration and UX

What's next for Secret Sentinel

What's next

Planned improvements include:

  • Granular configuration by space and project
  • Expanded detection rules and policy customization
  • Audit trails and compliance reporting
  • Integration with security and incident management tooling
  • Public release on the Atlassian Marketplace

The goal is to make secret exposure an automatically resolved event, not a security incident.

Built With

Share this project:

Updates