Testing FileWarden
Last updated: July 17, 2026
A walkthrough for an Atlassian Marketplace reviewer. Five tests, in order, with the exact text FileWarden posts so you can check what happened against what we promised. Test 1 needs no configuration and finishes in seconds; Test 3 needs up to an hour, for the reason directly below.
Zero config
Enforcing on install
Seconds
Type, size, name rules
Up to 1 hour
Scan, grace, quarantine
Pro on trial
Evaluation = full Pro
Read this before you test the content scan
The content scan does not run when a file is uploaded. Upload a file with an AWS key in it and nothing will happen - not in a second, not in a minute. It is caught by the reconciliation sweep, which runs once an hour, so a secret can sit on an issue for up to an hour before FileWarden removes it. That is the designed behaviour, not a failure. If you test this feature and walk away after five minutes, you will conclude it is broken when it is not.
Why: reading a file's bytes is too slow for Forge's 25-second synchronous trigger budget, so the upload path deliberately skips anything that has to fetch content - the text scan, the PDF/Office scan and the renamed-file signature check. The hourly sweep has a 900-second budget and does that work there instead. Everything decided from metadata alone - extension, MIME type, size, filename pattern, per-issue count, duplicate filenames - does run on upload, within seconds. Tests 1, 2, 4 and 5 are all in that fast group.
Two settings, in this order, decide what a removal does: grace period, then quarantine, then plain delete. FileWarden checks them in exactly that precedence on every file. If the grace period is above zero, the file is deferred right there - flagged with a warning comment and removed by a later sweep - no matter what quarantine is set to. Only if the grace period is zero does quarantine come into play, and quarantine needs both its toggle AND a valid Quarantine issue key. With both set, quarantine copies the file to that holding issue before deleting it; a copy is a byte transfer the 25-second upload path cannot do, so an upload is only recorded as pending and the copy, the delete and the comment all wait for the hourly sweep. The comment you get then is a different one - it says moved to quarantine, not removed:
FileWarden moved the attachment "01-blocked-executable.exe" to quarantine. Files of type .exe are not permitted by this project's attachment policy. A Jira admin can restore it from the FileWarden settings within the restore window if this is a mistake.
Flipping the quarantine toggle alone does nothing. With the toggle on but the Quarantine issue key left empty, the quarantine branch is skipped entirely: the file takes the ordinary immediate-delete path and is gone within seconds, with the plain removal comment and no copy to restore. So to keep Test 1 fast, leave the grace period at zero and quarantine off; to see the deferral, set the grace period, or set the quarantine toggle AND its issue key, deliberately after Tests 1 to 4 and expect to wait.
Prerequisites.
A Jira Cloud site you can administer
You need the Jira administrator permission - every FileWarden admin endpoint verifies the ADMINISTER permission server-side, so a non-admin cannot open the settings at all. A free Jira Cloud site works.
The app installed, and one throwaway project
Install FileWarden from the Marketplace listing. Use a scratch project and a scratch issue for the tests: the app really deletes attachments, so do not test on an issue whose files you want to keep.
A licence, if you want to test the content scan
A 30-day evaluation licence counts as active and unlocks every Pro feature, so a reviewer on a trial sees the full product. Without an active licence the content scan cannot be enabled at all - the toggle is disabled in the UI, and the server force-clears the flag on save, so it can never be turned on by editing the request. Free covers Tests 1, 2, 4 and 5. In Test 4 the Audit log tab is Pro, but the monitor-mode decision it shows is also readable in the FileWarden issue panel, which is free.
Start here. No setup.
If you only run one test, run this one.
Test 01
Zero configuration, seconds
Prove the app is useful the moment it is installed. Do not open the admin page first - the point of this test is that you have not configured anything.
- Open any issue in your scratch project.
- Attach 01-blocked-executable.exe from the sample set (or any file you rename to .exe) - drag it onto the issue, or add it through a comment.
- Refresh the issue after a few seconds.
What should happen
The attachment is gone and FileWarden has posted a comment on the issue. On a fresh install the default policy blocks exe, bat, cmd, com, msi, scr, vbs, js, jar, dll, ps1, enforcement is on, monitor mode is off, the grace period is zero and quarantine is off - so the file is removed immediately, with no setup.
FileWarden removed the attachment "01-blocked-executable.exe". Files of type .exe are not permitted by this project's attachment policy. Contact your Jira admin if you believe this is a mistake.
The admin page.
In Jira, go to Settings → Apps → FileWarden. FileWarden is its own entry in the left nav of the Apps section, a sibling of Manage apps rather than something inside it - Manage apps is the subscription screen and has no FileWarden settings on it. If the nav is cluttered, the direct URL is /jira/settings/apps/<appId>/<envId>. Everything in the rest of this guide is configured there. The page has five tabs.
| Tab | What it does | Edition |
|---|---|---|
| Default policy | The instance-wide rules plus the enforcement, monitor-mode, grace-period and content-scan switches. This is where Tests 2, 3 and 4 are configured. | Free |
| Per-project rules | A policy override for a single Jira project, which takes precedence over the default policy. | Pro |
| Per-group rules | A policy override keyed on the uploader's Jira group membership. | Pro |
| Audit log | Every decision FileWarden made, with a CSV export. This is where a monitor-mode run shows up - and, without a licence, so does the free FileWarden issue panel on the issue itself. | Pro |
| Quarantine | Removed files held as real Jira attachments on a holding issue, restorable within the retention window. It takes two fields, not one: the toggle AND a Quarantine issue key. With both set, even the fast tests defer to the hourly sweep, so leave it off until Tests 1 to 4 are done. See the timing panel above. | Pro |
Four more tests.
Test 02
A custom rule: filename pattern and max size
Prove you can express a rule of your own, and that it fires as fast as the built-in one. Like the extension check, filename patterns and the size ceiling are decided from metadata alone, so they run on the synchronous upload trigger.
- Open Default policy in the admin page.
- In "Filename patterns (one per line, `*` and `?` wildcards)" add: *-db-dump.sql - the patterns are case-insensitive globs, not regular expressions. Leave Max file size at 0 for now.
- Save, then attach 02-customer-db-dump.sql to an issue. It is removed within seconds.
- Now, in a second save, set "Max file size in MB (0 = no limit)" to 1 and attach a file of your own larger than 1 MB. Nothing in the sample zip is big enough - the largest sample is 1.7 KB.
- Set Max file size back to 0 before you move on, so it cannot interfere with the later tests.
What should happen
Each file is removed within seconds, with its own comment naming the rule it broke. Note that .sql is not blocked by default - it is your pattern, not the extension list, that catches this one. The size ceiling applies in both block and allow mode.
FileWarden removed the attachment "02-customer-db-dump.sql". The file name "02-customer-db-dump.sql" matches a restricted pattern in this project's attachment policy. Contact your Jira admin if you believe this is a mistake.
FileWarden removed the attachment "<your file>". Files larger than 1 MB are not permitted by this project's attachment policy. Contact your Jira admin if you believe this is a mistake.
Set the two rules in separate saves, as above, because the size check runs first and wins: a file that is both over the ceiling and matched by a pattern gets the size comment, never the pattern one. If you set both at once and test with one large, badly-named file, the quote above is the only one you will see.
The size field takes whole megabytes only - a fractional value is rounded down, and anything below 1 rounds to 0, which means no limit. So 1 MB is the smallest ceiling you can set, and no sample in the zip can reach it. Use any file over 1 MB you already have; it does not matter what is in it.
Test 03
The content scan (DLP) - read the timing note first
Prove FileWarden finds a secret inside a file, not just a bad name on it. This is the test most likely to look broken if you judge it in the first minute, because it does not run on upload.
- Open Default policy, scroll to Content security, and enable "Scan text attachments for secrets and PII". If the toggle is greyed out with a Pro badge, your instance has no active licence - start the 30-day evaluation and it unlocks.
- Save the settings.
- Attach 03-leaked-aws-key.env to an issue. Nothing will happen. This is expected.
- Wait for the hourly sweep - up to 60 minutes. Then reload the issue.
What should happen
After the sweep runs, the file is removed and a comment names the kind of secret found - never the value itself. The audit log records that a match was found, also without the value.
FileWarden removed the attachment "03-leaked-aws-key.env". Contained a likely secret or sensitive value (AWS access key ID). Contact your Jira admin if you believe this is a mistake.
This one switch covers both halves of the scan, and each half has its own size cap. Text files are scanned when their extension is on the scannable list (txt, log, env, ini, json, yaml, csv, md, sh, py, js, sql, pem, key and similar) and they are 256 KB or smaller. PDF, Word, Excel and PowerPoint files go to a separate text extractor with a larger ceiling of 10 MB. A file over its cap is skipped by design, to keep the cost bounded. Every sample in the zip is plain text, so if you want to exercise the document half you need a document of your own.
Two limits worth knowing before you judge a negative result. A scanned or image-only PDF has no extractable text, so FileWarden treats it as unscannable and leaves it alone - no comment, no audit row. That is deliberate: this is a lite DLP layer, and we would rather miss a picture of a secret than delete a clean file. And the renamed-file signature check is not part of this switch - Detect renamed files (signature check) is its own Pro toggle in the same Content security section, off by default, and enabling the content scan does not enable it. If you want to test it, turn it on yourself, rename an executable to .pdf, upload it and wait for the same hourly sweep.
Test 04
The safety valves: monitor mode and the grace period
Prove an admin can roll this out without deleting anything on day one. These are the two answers to "what if the policy is wrong?".
- Turn on "Monitor mode (log only, do not remove)" in Default policy and save.
- Attach another .exe. The file stays on the issue and no comment is posted.
- Open the FileWarden panel on that issue: it lists the file with a Flagged lozenge. The panel is free. The admin Audit log tab records the same decision as Flagged (monitor), but that tab needs an active licence.
- Delete that flagged .exe yourself now - read the note below before you skip this step.
- Turn monitor mode back off, set "Grace period before removal (hours, 0 = immediate)" to 1, and save.
- Attach another .exe and read the comment that appears within seconds.
What should happen
While monitor mode is on, FileWarden does not delete and does not comment - it only logs, so an admin can watch what a policy would have done before arming it. With a grace period set, the file is not removed on upload: it is flagged with a warning comment naming the deadline, and a later sweep removes it once the window has elapsed - unless the policy changed in the meantime, in which case the file is spared. The grace period applies in enforcement mode only; monitor mode already deletes nothing.
FileWarden flagged the attachment "01-blocked-executable.exe" for removal. Files of type .exe are not permitted by this project's attachment policy. It will be removed automatically after <deadline> unless a Jira admin changes the policy.
A monitor-mode flag defers a file, it does not settle it. FileWarden keeps the flagged file on its list rather than writing it off, so enforcement can finish the job later. So once you turn monitor mode back off in step 5, that same .exe from step 2 is back in scope - but what happens to it is not an instant delete. Because step 5 also sets a 1-hour grace period, the next time FileWarden reprocesses that file it posts the grace warning comment and schedules removal for a later sweep, exactly as it does for the step-6 file - grace is checked before any deletion. And it is reprocessed whenever its issue is next touched: attach the step-6 .exe to the same issue and the step-2 file gets its grace comment within seconds too; leave the issue untouched and, once it drops out of the sweep's look-back window, it may not be reached at all. The one thing you must not do is treat the flagged file as safe evidence that monitor mode leaves files alone - enforcement will act on it. If you want to keep it, delete it yourself in step 4 or move it to a fresh issue.
Because removal is done by a sweep, a 1-hour grace period means the file disappears at the first sweep after the hour is up, not on the exact minute. Set the grace period back to 0 before continuing.
Test 05
Confluence: the seeded default blocklist, deletes to Space Trash
Prove the Confluence install governs on its own - useful the moment it is installed, removing to the reversible Space Trash. It is a SEPARATE Forge installation with its own storage and no admin page, so nothing you configured in Jira reaches it: it runs the seeded default executable blocklist and only that.
- Install FileWarden on Confluence and open any page.
- Attach 01-blocked-executable.exe to the page. The .exe is caught because exe is on the default executable blocklist that seeds every install - the only policy the Confluence install has.
- Refresh, then open the space's Trash.
What should happen
The attachment is removed from the page and a footer comment explains why. The .exe was caught because exe is on the default executable blocklist that seeds every install - not because of anything you set in Jira.
Confluence is a separate Forge installation with its own storage, and it has no admin page anywhere - not in Confluence, not in Jira. It was seeded on install with the default policy (block exe, bat, cmd, com, msi, scr, vbs, js, jar, dll, ps1) and it stays on that default, because there is no surface to change it. Nothing you configure in Jira reaches it: the custom filename pattern from Test 2, any MIME, size or extension rule you add, the content scan, the PDF/Office scan, the renamed-file signature check, the grace period, quarantine and per-group exemptions - none of them apply on Confluence. Enforcement and monitor mode are Jira settings too and do not carry over; the Confluence install enforces its seeded default and cannot be put in monitor mode.
So two things you must not expect here. Do not upload 03-leaked-aws-key.env to a page and wait for the content scan - the Confluence install has no content scan and nothing will ever happen to it. And do not upload 02-customer-db-dump.sql expecting your Test 2 pattern to catch it - that pattern lives only in the Jira install, so the file stays on the page. The only files the Confluence install removes are the ones on its default executable blocklist. A Confluence-native admin page is a planned fast-follow, not something you are testing today.
The deleted file is in the space's Trash, restorable by a space admin. Confluence's delete API trashes rather than destroys, which is the safer of the two behaviours and the reason this test is worth running on its own.
Three more surfaces.
The script above exercises the attachment trigger, the hourly sweep and the admin page. FileWarden ships three modules those tests never touch. They are not an afterthought - the validator and the Rovo action are the two places where a security reviewer should push hardest, so here is where they are and what they should do.
Workflow validator
FreeWhere: Project settings → Workflows → edit a workflow → pick a transition → Validators → Add validator → “FileWarden - block disallowed attachments”. Company-managed and team-managed projects both.
Refuses the transition while the issue still carries an attachment the policy disallows, and names up to three of them in the error. It is deliberately permissive: if enforcement is off, if monitor mode is on, or if the check itself errors, the transition is allowed through - we would rather let an issue move than wedge a customer's workflow, and the sweep still removes the file. It reads the type, MIME, pattern and size rules only, never file content, because a validator runs inside the user's transition.
Issue panel
FreeWhere: Any Jira issue - the panel is called FileWarden.
A read-only list of what FileWarden did to this issue's attachments: filename, action (Removed, Flagged, Quarantined, Restored, Exempted or Blocked) and time. This is the free way to read a monitor-mode decision, and the fastest way to confirm a removal or a flag. One label to read with care: a grace-deferred file (Test 4) is written to the log with a pending action the panel has no separate label for, so it shows as Removed while the file is still on the issue and only scheduled - there the grace warning comment is the accurate signal, not the panel. It is not admin-gated, so it deliberately returns only those three fields - never the reason, the uploader or the file's type, all of which stay behind the admin-gated, Pro Audit log. The issue is read from the product context, not from the request, so a caller cannot ask it about a different issue.
Rovo agent
ProWhere: Rovo chat - the agent is called FileWarden Compliance.
Two actions: one summarises what was removed, quarantined or flagged over a time window from the audit log; the other creates a per-project rule blocking a category of files. The second one is the one worth attacking. Ask it to block executables in a project while signed in as a non-admin: both actions re-verify the caller's Jira admin permission and the licence server-side, so the agent cannot be talked into writing a policy the caller could not write by hand in the admin page. LLM input is never trusted as authorisation.
Almost everything you need.
Seven files: one for each rule a tiny file can exercise, plus a control that must survive. The secrets inside them are fabricated and inert - they are strings shaped like credentials, not real ones. Two things are not in the zip and cannot be: the size test needs a file of your own over 1 MB, and the document half of the content scan needs a PDF or Office file of your own.
| File | Rule it exercises | What should happen |
|---|---|---|
01-blocked-executable.exe | Extension rule (default policy) | Removed within seconds, no configuration needed. |
02-customer-db-dump.sql | Filename pattern (*-db-dump.sql) | Removed within seconds once you add the pattern in Test 2. |
03-leaked-aws-key.env | Content scan: aws-access-key | Removed on the hourly sweep. Reason names “AWS access key ID”. |
04-customer-pii.csv | Content scan: us-ssn, credit-card, email | Removed on the hourly sweep. Reason names the highest-severity finding and counts the rest. |
05-deploy-key.pem | Content scan: private-key | Removed on the hourly sweep. Reason names “Private key block”. |
06-ci-tokens.txt | Content scan: generic-secret, github-pat, slack-token | Removed on the hourly sweep. Reason names one finding and counts the others. |
07-clean-release-notes.txt | Positive control - matches nothing | Stays on the issue, untouched, with no comment. This is the file that proves the policy is not simply blocking everything. |
(not in the zip - use your own) | Max file size (the 1 MB ceiling you set in Test 2) | Any file over 1 MB is removed within seconds. No sample here is big enough - the largest is 1.7 KB - and the field cannot be set below 1 MB. |
Files 03 to 06 are the content-scan set: enable the Pro content scan first (Test 3), upload them, and then wait for the hourly sweep. Files 01 and 02 need no waiting. File 07 is the one to watch closest - if it ever disappears, we have a false positive and we want to hear about it.
Nothing happened?
Four things account for almost every “it did not work”.
Nothing happened at all
Check Default policy: “Enforcement enabled” must be on and “Monitor mode” must be off. Monitor mode is the usual answer - it logs the decision to the audit log and deliberately leaves the file in place, so it reads exactly like the app doing nothing.
The file was already on the issue before you installed
It is probably still in scope. The hourly sweep selects issues by their updated timestamp and then re-checks every attachment on them, so an old file is remediated as soon as anything touches its issue - a comment, a field edit, another upload. What the sweep never reaches is an issue nobody has touched since you installed, and that is what the Pro backfill scan is for: a one-time pass over the whole instance that you start from the admin page. Re-upload the file if you just want to see the rule fire now.
You are testing the content scan and it has not fired
Give it the full hour. The content scan and the document scan are background-only; neither runs on upload. If an hour has passed, confirm the setting actually saved as on - without an active licence the server clears it on save, so it will read as off. If you are waiting on a renamed executable, check the right switch: the signature check is background-only too, but it is a separate Pro toggle, “Detect renamed files (signature check)”, and enabling the content scan does not enable it. And on Confluence none of these three run at all.
A comment appeared but the file is still there
That is the grace period: the comment names a deadline and a later sweep does the removal. If instead you see a permission warning in the admin page, the app-bot could not delete the file - Jira returns 403 when the app lacks the “Delete all attachments” project permission. Grant it to the app user in the project's permission scheme and the next pass will remove the file.
Still stuck, or something behaved differently from what this page promised? That is a bug and we want it. Email support@kuberstar.com or visit the KUBERSTAR support page. See also the security policy and the privacy policy.