Access tokens
Use of Qwiet preZero's functionality requires you to possess the correct access token. The access tokens issues by Qwiet loosely fall into two categories:
-
Tokens tied to a user: by default, Qwiet assigns each user an access token, whose value you can find in the dashboard under Account Settings. The specific permissions granted to the holder of such tokens depend on the role they've been assigned.
-
Integration tokens: integration tokens are those that users can create to facilitate the integration of Qwiet preZero with another product (e.g., inclusion in a CI/CD pipeline, creating Jira issues populated with vulnerability information identified by Qwiet preZero, etc.). Qwiet allows users with sufficient privileges (typically org owners and super admins) to create such tokens.
Creating tokens
Tokens tied to a user are automatically created by Qwiet preZero whenever an org owner/super admin creates a user. The scopes that Qwiet assigns to that token depend on the role they've been assigned and are automatically updated if that role changes.
Org owners/super admins can create integration tokens and a general access token via the dashboard or the /tokens endpoints of the Qwiet API.
Token types
The following is a description of the specific token types available, which of the two categories they fall under, and when you should use the specific token type:
| Token types | Usage |
|---|---|
| Personal access token | Automatically assigned to the user upon creation. Grants access to most Qwiet preZero functionality, though certain actions may be restricted depending on their assigned role (e.g., members may not be able to access as many of the API's endpoints as a power user) |
| CI | Use for integrating Qwiet into your CI/CD systems (e.g., Jenkins, CircleCI). CI tokens are not tied to the user; the tokens are tied to the org used to issue them, so admin users can revoke if necessary |
| GitHub | Use for integrating Qwiet into your GitHub pull request workflow that leverages GitHub Actions |
| Jira | Use for integrating Qwiet preZero with Jira; required by Qwiet's plugin |
| Service token | Org owners can create service tokens used only to generate CI tokens for use in CI/CD pipelines. See the Creating service and CI tokens article for a walkthrough of this process |
| Access token | Functionally the same as the personal access token, though it lacks the scopes needed to call the Qwiet API. It is generated by org owners using the Qwiet API (and can therefore be revoked independently of user management) |
Personal access tokens are automatically assigned to each Qwiet user. Access tokens are those generated by org owners via the API's
/tokensendpoint.
Tokens and their permissions
| Personal access | CI | GitHub | Jira integration | Access | Service | |
|---|---|---|---|---|---|---|
| API | ✅ | |||||
| Scans | ✅ | ✅ | ✅ | ✅ | ||
| Check analysis | ✅ | ✅ | ✅ | ✅ | ||
| Remediation | ✅ | ✅ | ✅ | ✅ | ||
| Policies | ✅ | ✅ | ✅ | ✅ | ||
| Jira integration | ✅ |
Tokens with access to teams (e.g., a CI token with org-wide access) may add apps to those teams during during analysis.