Stumbling block, when to sync vulnerability data when integrating an app using the jiraSecurityInfoProvider?

We’re building an app to integrate vulnerability scan information for our customers who use Jira. We’re attempting to use the jiraSecurityInfoProvider to allow them to select their containers, add them to their project, and then receive vulnerability information.

We’ve successfully integrated actions like fetchWorkspaces, fetchContainers, and searchContainers. Where we are having trouble is when a Jira users associates a container with their project, as far as we can tell, the API doesn’t send us any indication that the container has been associated with the project, so we don’t know WHEN to send the vulnerability data, or for which project or container.

Are we missing some detail about a webhook that notifies our application when a container is associated? How do the existing security integrations know that a container has been associated and trigger the syncing of vulnerability data?

Thanks for any help or direction you can provie.

Hey @RichardBliss have you figured this one out yet? Having some of the same questions.

I get that we will probably have to create a second module within the app that calls out to our own API and then does https://developer.atlassian.com/cloud/jira/software/rest/api-group-security-information/#api-rest-security-1-0-bulk-post on a timer basis, but having the first hit be an immediate one, based on an event handler, would obviously be preferable.

Unfortunately no. We ended up adding a field during set up to specify the project to show vulnerabilities in. Would love to find out how others are doing this.