Skip to content

Confluence Server - On-Premise

The Confluence Server (On-Prem) integration allows SailPoint Entro to automatically detect exposed secrets in your Confluence instance - including page content, comments, and attachments — while ensuring that no raw data ever leaves your environment.


Overview

SailPoint Entro connects securely to your on-prem Confluence instance through a local Worker (connector). All API interactions and scans occur locally, and only metadata and findings are sent securely to SailPoint Entro’s cloud dashboard.

Architecture Diagram

Entro Security Cloud
   ↕ (Secure connection via On-Prem Worker)
Confluence Server (On-Prem)

What Is Scanned

SailPoint Entro scans for secrets across the following Confluence components:

  • Pages

    • Full page body (plain text and wiki storage formats)

    • Titles and metadata

  • Comments

    • Page-level and inline comments
  • Attachments

    • Supported text-based file formats:

      • .txt, .log, .json, .yaml, .yml, .xml, .ini, .csv, .config, .properties
    • Maximum file size: 10 MB

  • Metadata

    • Page ID, space key, creator, and modification timestamps

Note

Detection Engine: SailPoint Entro uses contextual scanning and entropy-based algorithms to detect API keys, credentials, tokens, and misconfigured secrets.


What Is Not Scanned

For performance and privacy reasons, the following are excluded from scanning:

  • Deleted or archived spaces and pages

  • Historical page versions (only latest version is scanned)

  • Encrypted or binary attachments (e.g., .zip, .jpg, .pdf)

  • Audit logs, templates, or macros

  • Marketplace app data and third-party plugin storage

These exclusions are intentional to maintain data integrity and minimize API load.


Installation & Configuration

Follow these steps to connect your Confluence Server to SailPoint Entro.

Prerequisites

  • Confluence Server v7.0 or later

  • REST API enabled (/wiki/rest/api/)

  • Access to your on-prem Worker Group (Connector)

  • A dedicated integration user with the following permissions:

    • View Pages

    • View Comments

    • View Attachments

  • A Personal Access Token (PAT) generated for the integration user


Configure the Integration in SailPoint Entro

  1. Connect integration

    In SailPoint Entro → Integrations → Atlassian → Confluence Server, click Connect.

  2. Enter configuration details

    Provide the following:

    • Base URL: e.g.,
    https://confluence.internal.company.com
    
    • Access Token: The token created for the integration user

    • Worker Group (Connector): Select your on-prem Worker

  3. Test and save

    Test the connection and click Save.


Initial Scan

After connecting, initiate your first scan manually or set an automatic schedule.

  • Scans run through the on-prem Worker using Confluence’s REST API.

  • Raw data and attachments remain inside your infrastructure.


System Requirements

Component Requirement
Confluence Version 7.0+
API Access REST API enabled
Network Outbound HTTPS (443) access from Worker to SailPoint Entro
Authentication Personal Access Token (PAT)
Permissions Read access to spaces, pages, comments, and attachments

Managing Findings

Once the scan completes, detected secrets appear in the Findings dashboard in SailPoint Entro.

Each finding includes:

  • Page title and space key

  • Secret type and exposure level

  • Direct link to the affected Confluence page

You can:

  • Assign findings to team members

  • Sync or create Jira tickets for remediation

  • Mark verified false positives as Resolved


Generic vs Exposed Secrets

Type Definition Example
Generic Secret Potential secret identified by pattern or entropy. abcdef12345
Exposed Secret Verified credential exposed in accessible content. AWS_SECRET_ACCESS_KEY=ABC123...

SailPoint Entro differentiates these states to reduce false positives and prioritize actionable findings.


Data Privacy & Security

SailPoint Entro never stores raw Confluence content. Only metadata and secret findings are retained for analysis and audit purposes. All communication between your Worker and SailPoint Entro Cloud is encrypted (HTTPS/TLS).

  • Compliance Alignment:
    • SOC 2 Type II
    • ISO 27001
    • Principle of least privilege (read-only API access)