I am new to Atlassian Plugin development and I have a question regarding Ngrok.
I was following the below official documentation steps from Atlassian for setting up the development environment for Jira Cloud Plugin development -
As suggested in the documentation step 1, I was trying to configure ngrok. One of the IP address from ngrok got flagged by Virus Total. 9 security vendors flagged this IP address as malicious.
Since I am working from a corporate network, it doesn’t seem safe to use.
Is it false positive? is Ngrok safe to use and can be trusted?
Please suggest if there is any alternative to Ngrok. What is the recommended approach for app installation/debugging from dev env?
Yes. But first let’s look closer at your next question…
Let’s first explain what ngrok is. I’ll start with their own definition:
ngrok is a simplified API-first ingress-as-a-service that adds connectivity, security, and observability to your apps in one line
What this does for Forge is to allow code running on your computer, behind a firewall, to receive HTTP requests made from Atlassian infrastructure. Those HTTP requests are forwarded through the ngrok service running on the Internet, to a command that you run on your machine. When you’re running the command, both the “security and observability” aspects are in your control, making it safe and trustworthy.
However, the “connectivity” feature of ngrok is the thing that makes it potentially dangerous. Generally, ngrok can be used by malicious parties for malware infrastructure. I couldn’t find anything published by VirtusTotal, but their peers at TrendMicro report about a specific way in which ngrok was used in a malicious attack.
My interpretation is that ngrok is safe when you run and control it. But, as a potential vector in some kinds of attacks it would be fair to “flag” it as a potential risk, even if as a false positive. It would be dangerous if you already had lots of ngrok running and you were not in control.
Since the opinion of Atlassian is that ngrok is safe (when used correctly), that is the recommended solution.
However, unrelated to the safety issue, you can find some reliability problems around this community related to the dependency on ngrok (which also depend on Docker and a whole chain of complicated networking that causes some people to lose connections in a disruptive way). For those reasons, and for cleaner compatibility with Node.js libraries, the Forge team is building a native Node.js runtime (also known as Runtime V2) with no dependencies on Docker or ngrok. If you still aren’t comfortable with the recommended option of ngrok, this early access feature might be an alternative for you.
Post-script: Oops! I just realized you were asking about Atlassian Connect, not Forge. The ngrok opinion still applies but the alternatives to ngrok are different.
We have a proxy host, which is exposed to the internet, and we this address to register our app.
From our local machines we open a ssh tunnel we control to the proxy host. This allows us to not use ngrok, and to control the IP addresses.
