Skip to main content

Integrate a new Confluence Cloud source

info

Historical scanning is now available in Beta. Check out Scanning your Confluence Cloud History for more information.

All detectors are supported, with the exception of these 2 generic detectors, in order to limit the risk of false positives:

Setting up and configuring this integration is limited to users with an Owner or Manager access level. Confluence Cloud site installation is only open to workspaces under the Business plan. However, you can install and test secret detection in Confluence Cloud with a 30-day trial. Any secret incidents detected during the trial will remain accessible in your incident dashboard.

GitGuardian integrates natively with Confluence Cloud via an OAuth2 app that you can authorize on your Confluence Cloud sites. Note that the GitGuardian OAuth2 app only has read access to your spaces.

Requirements

You must be a Confluence Administrator to configure GitGuardian Confluence Cloud integration.

Setup your Confluence Cloud integration

You can install GitGuardian on multiple Confluence Cloud sites to monitor your spaces.

  1. Make sure you're logged in the Confluence Cloud site you want to install
  2. In the GitGuardian platform, navigate to the Sources integration page
  3. Click Install next to Confluence Cloud in the Documentation section Confluence Cloud install
  4. Click Install on the Confluence Cloud integration page
  5. Click Connect with Confluence Cloud in the installation modal Confluence Cloud install - Step 1
  6. Make sure you are connected to the right Confluence Cloud site
  7. Click Accept to grant the permissions requested by GitGuardian Confluence Cloud permissions That's it! Our OAuth2 app is now authorized on your Confluence Cloud site and will start monitoring pages, blogs, and comments in your spaces for secrets.

Setup Confluence Cloud for self-hosted GitGuardian

info

We recommend using dedicated workers for Confluence Cloud. For more detailed information on scaling and configuration, please visit our scaling page.

If you are using a self-hosted GitGuardian instance, you must first configure a dedicated Confluence Cloud App so that you own the entire data stream. This will ensure that your Confluence Cloud App is created with all the appropriate rights.

1. Create a Confluence Cloud app

  1. Navigate to the Confluence Cloud integration page
  2. Click Configure Confluence Cloud app
    Confluence Cloud app configure

As a Confluence Cloud administrator

  1. Click Create Confluence Cloud app (Alternatively, if you're not a GitGuardian Manager, you can access the Atlassian developer console directly)
  2. Type the name of your new Confluence Cloud app: GitGuardian
  3. Agree to Atlassian's developer terms by checking: I agree to be bound by Atlassian's developer terms.
  4. Click Create
    Confluence Cloud app create
  5. Go to the Permissions page
  6. Click Add next to the Confluence API line
    Permissions - Confluence API add
  7. Click Configure next to the Confluence API line
  8. In the Classic scopes tab, click Edit Scopes in the Confluence platform REST API section
    Confluence Cloud - Classic scopes edit
  9. Select the following classic scopes:
    • read:confluence-content.all
    • read:confluence-content.permission
    • read:confluence-content.summary
    • read:confluence-groups
    • read:confluence-props
    • read:confluence-space.summary
    • read:confluence-user
    • readonly:content.attachment:confluence
    • search:confluence
  10. Click Save
    Confluence Cloud - Classic scopes
  11. In the Granular scopes tab, click Edit Scopes
    Confluence Cloud - Granular scopes edit
  12. Select the following granular scopes:
  • read:blogpost:confluence
  • read:comment:confluence
  • read:page:confluence
  • read:space:confluence
  1. Click Save
    Confluence Cloud - Granular scopes
  2. Go to the Authorization page
  3. Click Add next to the OAuth 2.0 (3LO) line
    Authorization - OAuth 2.0 add
  4. Enter the callback URL based on your GitGuardian self-hosted instance URL:
    https://<gitguardian.acme.com>/api/v1/confluence-cloud/app/install_callback/
  5. Click Save changes
    Confluence Cloud - Callback URL
  6. Go to the Overview page
  7. Get your App details (App ID) (alternatively, you can find and copy it more easily from the URL)
    Confluence Cloud - Overview credentials
  8. Go to the Settings page
  9. Get your Authentication details (Client ID, Secret)
    Confluence Cloud - Settings credentials

That's it! Your Confluence Cloud app has been created and you can now declare your Confluence Cloud app in the GitGuardian Platform. Alternatively, if you are not a GitGuardian Manager, you can now return the Confluence Cloud app credentials to your requester in the secure way of your choice (App ID, Client ID, Secret).

As a non Confluence Cloud administrator

If you don't have the right to create a Confluence Cloud app, please ask your Confluence Cloud administrator to do it for you. You can easily forward a request with this procedure:

  1. Click the Send a request to a Confluence administrator link to easily forward your request
  2. They should in turn provide you with the Confluence Cloud app credentials to proceed with the rest of the configuration.

2. Declare your Confluence Cloud app in the GitGuardian Platform

  1. Paste your Confluence Cloud app credentials (App ID, Client ID, Secret)
  2. Click Save and close
    Confluence Cloud app credentials

That's it! Your Confluence Cloud configuration is ready and you can now setup your Confluence Cloud integration.

Scanning your Confluence Cloud history (beta)

GitGuardian enables you and encourages you to scan the entire history of your perimeter. By executing historical scanning, all secrets present in your Confluence sources prior to installing GitGuardian will be detected.

Unlike Version Control Systems, historical scanning has to be manually executed from your perimeter page, by:

  • Selecting your Confluence sources
  • Clicking scan from the top action bar

Edit your Confluence Cloud app configuration

In case you need to edit your Confluence Cloud app configuration, due to an error when declaring your Confluence Cloud app credentials or due to a secret rotation, you can do so as follows:

  1. Click Edit Confluence Cloud app
  2. Update your Confluence Cloud app credentials
  3. Click Save and close
    Confluence Cloud app configuration edit

Delete your Confluence Cloud app configuration

In case you need to delete your Confluence Cloud app configuration, you can do so as follows:

  1. Click Edit Confluence Cloud app
  2. Click Delete configuration
  3. Confirm by clicking Delete configuration in the confirmation modal
info

Deleting your Confluence Cloud app configuration will uninstall all your Confluence Cloud integrations. However, all your existing incidents detected on Confluence Cloud will remain available on your dashboard. Note that deleting the Confluence Cloud app configuration will only delete the configuration, not the Confluence Cloud app. If you want to delete your Confluence Cloud app, you must do so from your Confluence Cloud site.

Uninstall your Confluence Cloud site

To uninstall a Confluence Cloud site:

  1. In the GitGuardian platform, navigate to the Sources integration page
  2. Click Edit next to Confluence Cloud in the Documentation section
  3. Click the bin icon next to the Confluence Cloud site to uninstall
  4. Confirm by clicking Yes, uninstall in the confirmation modal Confluence Cloud uninstall

That's it! Your Confluence Cloud site is now uninstalled.

Remove the GitGuardian OAuth2 app from your Confluence Cloud site

Uninstalling a Confluence Cloud site from the GitGuardian platform does not remove the GitGuardian OAuth2 app from your Confluence Cloud site. This is not a mandatory step, but you can remove it manually after uninstalling your Confluence Cloud site from the GitGuardian platform.

To remove the GitGuardian OAuth2 app from your Confluence Cloud site:

  1. Go to the Connected apps page of your Confluence Cloud site
  2. Click Remove access next to the GitGuardian Confluence app
  3. Confirm by clicking Remove in the confirmation modal Confluence Cloud - Remove app

That's it! The GitGuardian OAuth2 app is now removed from your Confluence Cloud site.

Installing the GitGuardian Connect App (for self-hosted version earlier than 2025.9.0)

For GitGuardian Self-Hosted versions earlier than 2025.9.0, installing a Confluence Connect App on each Confluence Cloud site is required in addition to authorizing the OAuth2 app.

  1. In your Confluence Cloud site, go to SettingsManage apps
  2. Click Settings (top-right of the Manage apps page)
  3. Check Enable development mode and click Apply Confluence Cloud Development Mode
  4. Back on the Manage apps page, click Upload app
  5. Paste your GitGuardian Connect App descriptor URL and click Upload:
    • For GitGuardian Self-Hosted:
      https://<gitguardian.acme.com>/api/v1/confluence-cloud/connect-app/app-descriptor/
      Replace https://<gitguardian.acme.com> with your GitGuardian Self-Hosted base URL Confluence Cloud Upload app
  6. Verify the app appears under installed apps. The Connect App will now stream page, blog, and comment events to your GitGuardian instance.

Notes:

  • Repeat these steps on every Confluence Cloud site you want to monitor.
  • When you upgrade GitGuardian Self-Hosted to version 2025.9.0 or later, the Connect App is no longer required. You can safely uninstall it from Confluence (Manage apps → select the app → Uninstall).

Limitations

  • Historical Scan (Beta): Historical scanning is now available in Beta. The historical scans are not automatically executed upon the addition of newly created sources. It only works in manual mode.
  • Monitored Perimeter: Customization of the monitored perimeter is not supported. All spaces are monitored by default.
  • Team Perimeter: Customization of a team perimeter with Confluence Cloud spaces is not supported. Users must be in All-incidents team to view and access Confluence Cloud incidents.
  • Source Visibility: The visibility of spaces is not determined. All spaces are considered private in both the UI and API.
  • File Attachments: File attachments are not yet supported.

Privacy

Country-specific laws and regulations may require you to inform your Confluence Cloud users that your spaces are being scanned for secrets. Here is a suggestion for a message you may want to use:

As part of our internal information security process, the company scans the Confluence Cloud spaces for potential secrets leaks using GitGuardian. All data collected will be processed for the purpose of detecting potential leaks. To find out more about how we manage your personal data and to exercise your rights, please refer to our employee/partner privacy notice. Please note that only spaces relating to the company’s activity and business may be monitored and that users shall refrain from sharing personal or sensitive data not relevant to the space’s purpose.

Last updated on

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status