# Issue Tracker Integration

Compliance Scanner automatically creates issues in your existing issue trackers when new security findings are discovered. This integrates security into your development workflow without requiring teams to check a separate tool.

## Supported Trackers

| Tracker | Configuration Variables |
|---------|----------------------|
| **GitHub Issues** | `GITHUB_TOKEN` |
| **GitLab Issues** | `GITLAB_URL`, `GITLAB_TOKEN` |
| **Jira** | `JIRA_URL`, `JIRA_EMAIL`, `JIRA_API_TOKEN`, `JIRA_PROJECT_KEY` |

## How It Works

1. A scan discovers new findings
2. For each new finding, the agent checks if an issue already exists (by fingerprint)
3. If not, it creates an issue in the configured tracker with:
   - Title matching the finding title
   - Description with vulnerability details, severity, and file location
   - Link back to the finding in the dashboard
4. The finding is updated with the external issue URL

## Viewing Issues

Navigate to **Issues** in the sidebar to see all tracker issues across your repositories.

The issues table shows:

| Column | Description |
|--------|-------------|
| Tracker | Badge showing GitHub, GitLab, or Jira |
| External ID | Issue number in the external system |
| Title | Issue title |
| Status | Open, Closed, or tracker-specific status |
| Created | When the issue was created |
| Link | Direct link to the issue in the external tracker |

Click the **Open** link to go directly to the issue in GitHub, GitLab, or Jira.

## Configuration

### GitHub

```bash
GITHUB_TOKEN=ghp_xxxx
```

Issues are created in the same repository that was scanned.

### GitLab

```bash
GITLAB_URL=https://gitlab.com
GITLAB_TOKEN=glpat-xxxx
```

Issues are created in the same project that was scanned.

### Jira

```bash
JIRA_URL=https://your-org.atlassian.net
JIRA_EMAIL=security-bot@example.com
JIRA_API_TOKEN=your-api-token
JIRA_PROJECT_KEY=SEC
```

All issues are created in the specified Jira project (`JIRA_PROJECT_KEY`).

::: tip
Use a dedicated service account for issue creation so that security findings are clearly attributed to automated scanning rather than individual team members.
:::