KUBERSTARKUBERSTAR
Atlassian Forge App · Jira Cloud
FileWarden app icon

FileWarden
Attachment governance for Jira

Block risky or non-compliant attachments and catch leaked secrets and PII across every Jira upload path - with reversible quarantine and a full audit trail.

Get notified at launchComing soon to the Atlassian Marketplace
  • Runs 100% on Atlassian
  • No external egress
  • Full audit trail
Every upload path
Coverage
Secret + PII scan
Content DLP
CSV audit log
Compliance
100% on Atlassian
No external egress
FileWarden - attachment governance for Jira
Why FileWarden

Govern every attachment, automatically.

01

Govern every attachment on every upload path

Comments, descriptions, forms, custom fields, and Jira Service Management requests are all covered. The moment a violation lands, FileWarden removes or quarantines it and posts a clear comment explaining which policy it broke - no manual cleanup, no gaps.

02

Catch leaked secrets and PII inside text files

A lightweight, zero-egress content scan reads text files for AWS keys, private keys, API tokens, credit cards, and US SSNs. The matched value is never shown or logged - FileWarden acts as a DLP layer without anything leaving Atlassian.

03

Exportable audit log and per-issue history

Every action is recorded newest-first with the file, reason, and actor, and exports to CSV for auditors (Pro). A read-only panel on each issue shows exactly what FileWarden did to its attachments.

More details

Stop risky and non-compliant attachments from piling up in Jira. Jira Cloud has no pre-upload hook, so a .exe, an oversized export, or a stray secret.env can land through a comment, a description, a form, a custom field, or a service desk request - and stay there. FileWarden watches every upload path and auto-removes or quarantines anything that breaks your policy, posts a human-readable comment so people learn the rule, and keeps a tamper-evident audit trail. It acts as a Jira DLP layer for attachment security - governing files by type, name, and size, and scanning text files for leaked secrets and PII - with no antivirus engine and no external service.

Templates or your own rule

Start from a compliance template - block executables, block secrets, HIPAA, PCI-DSS, GDPR, or office-only - or allowlist and blocklist by extension, MIME type, filename, or size. Globally, or per project on Pro. Templates are a starting point you can tune.

Secret and PII content scan

Inside text files, FileWarden looks for AWS keys, private keys, API tokens, credit cards, and US SSNs. The scan runs on Atlassian with zero egress and never shows or logs the matched value.

Safe to roll out

Monitor mode logs what would be removed without deleting, a grace period gives uploaders time to fix a violation, and trusted bot and CI accounts can be exempted. Run a one-time scan of existing attachments to clean up what predates install.

Reversible remediation and audits

Quarantine instead of delete on Pro, then restore if a block was wrong. Every action is logged newest-first and exports to CSV, with a daily compliance digest and a per-issue panel.

Notifies inside Jira

When something is blocked, FileWarden posts to a tracking issue with an @mention and can raise a permission alert - no Slack or email needed, nothing leaves Atlassian.

Runs 100% on Atlassian

No external servers, no data egress, data residency honored - eligible for the Runs on Atlassian badge. The content scan runs on-platform too.

Features

Everything it takes to keep attachments clean.

Block on Every Upload Path

Comments, descriptions, forms, custom fields, and Jira Service Management requests are all covered. When a violation lands, FileWarden removes or quarantines it and posts a comment naming the policy it broke - no manual cleanup, no gaps.

Restrict File Types

Match by extension, MIME type, filename glob, or maximum size, as an allowlist or a blocklist. Set one global policy, or per-project rules on Pro.

Secret and PII Content Scan

A lightweight, zero-egress scan reads inside text files for leaked secrets and PII - AWS keys, private keys, API tokens, credit cards, and US SSNs. The matched value is never shown or logged.

Compliance Policy Templates

Apply a sensible policy in one click: block executables, block secrets, or a HIPAA, PCI-DSS, GDPR, or office-only posture. Templates are a starting point you can tune.

Quarantine and Restore

On Pro, remove violations reversibly: quarantine an attachment instead of deleting it, then restore it if the block was wrong.

Monitor Mode and Grace Period

Dry-run a policy: Monitor mode logs what would be removed without deleting anything, and a grace period gives uploaders time to fix a violation before enforcement kicks in.

Exportable Audit Log

Every action is recorded newest-first with the file, reason, and actor, and exports to CSV for auditors on Pro. A read-only panel on each issue shows exactly what FileWarden did.

In-Jira Notifications and Digest

Get a tracking-issue notification with an @mention when something is blocked, plus a daily compliance digest - no Slack or email needed, nothing leaves Atlassian.

How it works

Set a policy, roll it out, prove it.

01

Set a Policy

Start from a compliance template or build your own: allowlist or blocklist by extension, MIME type, filename pattern, or maximum size, and turn on the secret and PII content scan - globally, or per project on Pro.

02

Roll Out Safely

Use Monitor mode to log what would be removed, set a grace period, and exempt trusted bot uploaders before you enforce. Run a one-time scan of existing attachments to clean up violations that predate install.

03

Auto-Remediate

FileWarden removes or quarantines violations the moment they land, posts a comment explaining the policy, and notifies a tracking issue with an @mention.

04

Audit and Export

Review every action newest-first in the audit log, get a daily compliance digest, and export to CSV for auditors (Pro).

Free and Pro

Start free, upgrade for depth.

A single paid plan with a free tier. Enforcement, Monitor mode, and the per-issue panel are free; per-project rules and the exportable audit log are Pro.

Free

Unlicensed
  • Global policy by extension, MIME type, filename, or size
  • Compliance policy templates
  • Secret and PII content scan for text files
  • On/off enforcement, Monitor mode, and grace period
  • Trusted uploader exemptions
  • Automatic remediation on every upload path
  • In-Jira notifications and read-only per-issue panel

Pro

Active or trial license
  • Everything in Free
  • Per-project rule overrides
  • Reversible quarantine and restore
  • Compliance audit log with CSV export and daily digest
Permissions and privacy

Three scopes, and nothing leaves Atlassian.

FileWarden runs entirely on Atlassian Forge with no external egress. It governs files by filename, declared MIME type, and size, and optionally scans text files for leaked secrets and PII - all on-platform. The matched value is never shown or logged, and nothing leaves Atlassian.

read:jira-work

Read issues and attachment metadata, read text attachments for the content scan, list projects, and check the caller's ADMINISTER permission.

write:jira-work

Remove or quarantine violating attachments and post the policy comment that explains the rule.

storage:app

Forge KVS for policies, the audit log, idempotency markers, and settings. No external storage.

100% on Atlassian

No external servers

No data egress

Data residency honored

Value never logged

Content scan stays on-platform

Read the Support pageRead the Privacy pageRead the Security page
FAQ

Questions, answered.

Want something like FileWarden?

KUBERSTAR designed and built FileWarden. Tell us what you have in mind and the same team can build it for you.

Start a projectContact us
A KUBERSTAR Product