Skip to main content

SecurityScorecard

Visualize SecurityScorecard portfolios, monitored vendor companies, and active security findings, and monitor changes through queries and alerts.

Installation

To use this integration, you must have a SecurityScorecard account and an API token. SecurityScorecard recommends issuing the token to a Bot (service account) user so the credential is decoupled from any individual and does not expire when a person leaves the organization.

Configuration in SecurityScorecard

Creating a Bot user and generating an API token requires administrator permissions in SecurityScorecard. If you do not have administrator access, ask an administrator to complete these steps for you.

  1. Log in to the SecurityScorecard platform and open My Settings from your profile avatar.

  2. In Admin Settings, open the People Management tab and click Invite People.

  3. Provide a name for the new user and mark the account as a Bot. Bot accounts do not expire, which prevents integration outages caused by token rotation on a personal user.

  4. Choose an access level for the bot. Read Only is sufficient for this integration. Click Add User.

  5. From the new bot user's actions, select Create API token and click Confirm.

  6. Copy the generated API token and store it securely. The token is only displayed once.

note

If you prefer not to create a bot user, an administrator can also retrieve a personal API key from My Settings > API. API tokens do not expire and are nearly as powerful as passwords — store them only in secret managers and never in source code or shared channels.

Configuration in JupiterOne

To install the SecurityScorecard integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select SecurityScorecard. Click New Instance to begin configuring your integration.

Creating an instance requires the following:

  • The Account Name used to identify the SecurityScorecard account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

  • Description to assist in identifying the integration instance, if desired.

  • Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

  • Your SecurityScorecard API Key — the token generated in the previous section.

  • Issue Types — a comma-separated list of issue type slugs (for example, cookie_missing_http_only,patching_cadence_high) used to scope the findings the integration ingests. A maximum of 12 slugs is supported per instance. This value is required: the SecurityScorecard API returns an error when the issue_types filter is omitted. You can list available slugs via the SecurityScorecard Issue Types metadata endpoint.

  • Portfolio IDs (optional) — a comma-separated list of SecurityScorecard portfolio IDs to limit ingestion to specific portfolios. Leave empty to ingest all portfolios the API token can access.

  • Issue Severity Threshold (optional) — minimum severity of findings to ingest (for example, medium). Findings below the threshold are skipped.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.