Confluence Server - On-Premise
The Confluence Server (On-Prem) integration allows SailPoint Entro to automatically detect exposed secrets in your Confluence instance - including page content, comments, and attachments — while ensuring that no raw data ever leaves your environment.
Overview
SailPoint Entro connects securely to your on-prem Confluence instance through a local Worker (connector). All API interactions and scans occur locally, and only metadata and findings are sent securely to SailPoint Entro’s cloud dashboard.
Architecture Diagram
What Is Scanned
SailPoint Entro scans for secrets across the following Confluence components:
-
Pages
-
Full page body (plain text and wiki storage formats)
-
Titles and metadata
-
-
Comments
- Page-level and inline comments
-
Attachments
-
Supported text-based file formats:
.txt,.log,.json,.yaml,.yml,.xml,.ini,.csv,.config,.properties
-
Maximum file size: 10 MB
-
-
Metadata
- Page ID, space key, creator, and modification timestamps
Note
Detection Engine: SailPoint Entro uses contextual scanning and entropy-based algorithms to detect API keys, credentials, tokens, and misconfigured secrets.
What Is Not Scanned
For performance and privacy reasons, the following are excluded from scanning:
-
Deleted or archived spaces and pages
-
Historical page versions (only latest version is scanned)
-
Encrypted or binary attachments (e.g.,
.zip,.jpg,.pdf) -
Audit logs, templates, or macros
-
Marketplace app data and third-party plugin storage
These exclusions are intentional to maintain data integrity and minimize API load.
Installation & Configuration
Follow these steps to connect your Confluence Server to SailPoint Entro.
Prerequisites
-
Confluence Server v7.0 or later
-
REST API enabled (
/wiki/rest/api/) -
Access to your on-prem Worker Group (Connector)
-
A dedicated integration user with the following permissions:
-
View Pages
-
View Comments
-
View Attachments
-
-
A Personal Access Token (PAT) generated for the integration user
Configure the Integration in SailPoint Entro
-
Connect integration
In SailPoint Entro → Integrations → Atlassian → Confluence Server, click Connect.
-
Enter configuration details
Provide the following:
- Base URL: e.g.,
-
Access Token: The token created for the integration user
-
Worker Group (Connector): Select your on-prem Worker
-
Test and save
Test the connection and click Save.
Initial Scan
After connecting, initiate your first scan manually or set an automatic schedule.
-
Scans run through the on-prem Worker using Confluence’s REST API.
-
Raw data and attachments remain inside your infrastructure.
System Requirements
| Component | Requirement |
|---|---|
| Confluence Version | 7.0+ |
| API Access | REST API enabled |
| Network | Outbound HTTPS (443) access from Worker to SailPoint Entro |
| Authentication | Personal Access Token (PAT) |
| Permissions | Read access to spaces, pages, comments, and attachments |
Managing Findings
Once the scan completes, detected secrets appear in the Findings dashboard in SailPoint Entro.
Each finding includes:
-
Page title and space key
-
Secret type and exposure level
-
Direct link to the affected Confluence page
You can:
-
Assign findings to team members
-
Sync or create Jira tickets for remediation
-
Mark verified false positives as Resolved
Generic vs Exposed Secrets
| Type | Definition | Example |
|---|---|---|
| Generic Secret | Potential secret identified by pattern or entropy. | abcdef12345 |
| Exposed Secret | Verified credential exposed in accessible content. | AWS_SECRET_ACCESS_KEY=ABC123... |
SailPoint Entro differentiates these states to reduce false positives and prioritize actionable findings.
Data Privacy & Security
SailPoint Entro never stores raw Confluence content. Only metadata and secret findings are retained for analysis and audit purposes. All communication between your Worker and SailPoint Entro Cloud is encrypted (HTTPS/TLS).
- Compliance Alignment:
- SOC 2 Type II
- ISO 27001
- Principle of least privilege (read-only API access)