This MCP server handles Atlassian API tokens. The following measures are in place:
- Tokens are never logged — the
sanitizeErrorfunction redacts tokens from all error messages - Tokens are never written to files — configuration is read from environment variables only
- Scope enforcement — the server blocks API calls outside the configured scopes before they reach Atlassian
- Delete safety guard —
jira_delete_issuerequires an explicitconfirm: trueparameter - Read-only by default — if
JIRA_SCOPESis not set, only read tools are available - Pre-commit hook — the repo includes a git hook (
.git/hooks/pre-commit) that blocks commits containing token patterns (ATATT tokens, Bearer values, hardcodedJIRA_API_TOKENassignments). The only allowlisted dummy values are the exact strings'token'and'secret', used in test fixtures. Any other value will block the commit.
If you discover a security vulnerability in this project, please do not open a public issue.
Instead, please report it privately:
- Email the maintainer directly, or
- Use GitHub Security Advisories to report privately
We will respond within 48 hours and work with you to understand and address the issue.
| Version | Supported |
|---|---|
| 1.x | Yes |
This policy covers the mcp-jira-scoped npm package and the source code in this repository. It does not cover Atlassian's APIs or infrastructure.