Skip to main content

Jira and Confluence Governance

Ticket hygiene, epic structure, and documentation ownership for platform and security teams.


Jira and Confluence Governance

Scattered tickets and stale wiki pages slow every incident. This guide defines minimum viable governance for DevSecOps squads.


Jira structure

LevelUse forExample
EpicQuarter-level outcome"SOC 2 pipeline evidence automation"
StoryShippable user/platform value"Fail build on critical SCA findings"
TaskTechnical sub-step"Add Trivy stage to GitHub Actions"
BugProduction or pipeline defect"Staging deploy skips scan on hotfix branch"

Definition of ready (story)

  • Acceptance criteria in Given/When/Then form
  • Link to RFC or threat note if security-impacting
  • Owner and target sprint

Definition of done

  • Merged to default branch with pipeline green
  • Runbook or Confluence page updated if operator-facing
  • No secrets in ticket comments or attachments

Board hygiene

  1. WIP limits cap "In Progress" per engineer (typically 2).
  2. Stale sweep weekly: close or re-prioritize items idle 14+ days.
  3. Labels security, platform, compliance, debt for filtering.
  4. Link commits branch PROJ-123-short-desc maps to traceability audits.

Confluence ownership

SpaceOwnerReview cadence
RunbooksOn-call rotation leadAfter every SEV-1/2
ArchitectureStaff engineerQuarterly
OnboardingEM or tech leadWhen toolchain changes
Compliance evidenceSecurity championPer audit window

Page template (runbook)

  1. Service overview & dependencies
  2. Dashboards and alerts
  3. Common failures + fix steps
  4. Escalation path
  5. Last game day date

Anti-patterns

TrapFix
Epic = bucket with 40 storiesSplit by measurable outcome
Confluence duplicate of git READMESingle source in git; Confluence links out
Security work only in SlackCreate ticket within 24h for audit trail

Related