VNX-SEC-041 – Atlassian API Token

Overview

This rule detects Atlassian Cloud API tokens matching the ATATT3[A-Za-z0-9_\-=]{186} pattern. These tokens grant API access to Jira, Confluence, Bitbucket Cloud, and other Atlassian Cloud products using the account of the issuing user.

Severity: Critical | CWE: CWE-798 – Use of Hard-coded Credentials

Why This Matters

A leaked Atlassian API token can be used to read confidential Jira issues, exfiltrate Confluence spaces (which often hold architecture diagrams, credentials, and runbooks), and pull private Bitbucket repositories. Because Atlassian Cloud has no IP allow-listing by default, the token works from any host on the public internet.

Remediation

1. Revoke the API token in id.atlassian.com/manage-profile/security/api-tokens.
2. Use OAuth 2.0 (3LO) authorization for any integration that needs user-context access.
3. Audit the Atlassian audit log for API calls you did not initiate.
4. Purge from git history with git filter-repo.

References

• Atlassian API Tokens
• Atlassian OAuth 2.0
• CWE-798: Use of Hard-coded Credentials
• gitleaks atlassian-api-token
• MITRE ATT&CK T1552.001