Security for Bitbucket Adds Dynamic Reports

Mohammed Davoodi
Mohammed Davoodi
May 10, 2023
July 29, 2020
Don't Be the Next Headline.
Download the free ebook and see proven strategies to prevent a data breach from real-world examples.
Graphic of the scanning app

Bitbucket users world-wide have a newly enhanced weapon against security vulnerabilities in their source repositories.

We just released a new enhanced reporting feature in Security for Bitbucket (SFB) — Security Scan Report.

The Security Scan Report allows global administrators to view vulnerabilities across all Bitbucket projects, repositories and branches. Starting from a high-level project overview, users can drill down selectively into repository level and branch level to assess securities risks in source code.

Secure tokens, passwords, and keys can all too easily find their way into commits. Worse, it’s a risk that’s not easily tracked all too frequently overlooked. Security for Bitbucket helps find and prevent high-risk commits that contain potentially sensitive access keys, tokens, and passwords. The Security Scan Report helps visualize the risks.

The new reports are highly visual and interactive, making it simple for users to drill down to entities that contain sensitive data.

Granular Insights

Reports show the status of each level in source control hierarchy to granular detail. Color-coded visualization helps admins spot problematic elements at a glance, with these statuses:

     
  • Secure: Repository is considered secure.
    •  
  • Vulnerable: Vulnerabilities found in at least one branch of the repository.
    •  
  • Not Scanned: Repository has not been scanned.
    •  
  • Partially Scanned: Some branches were scanned and secure, but some branches have yet to be scanned.
    •  
  • Outdated: All repository branches were scanned, but new commits have been made so the results are considered outdated.

Those status codes are available in every level, from global, to project, repository, and branch. SFB can also intercept high-risk commits before they are completed, in addition to analyzing legacy code that has already been pushed.

Built-in Rules

Right out of the box, baked in rules (secure key patterns) can immediately identify public keys, private keys, passwords, AWS keys, SSH keys and many more. While the plugin natively supports over 30 secure key patterns, users can easily add their own definitions and rules, then apply them either globally or just to specific repositories.

Full Product Feature Highlights

The Security Scan Report is supported by SFB’s underlying, field-proven feature set.

     
  • Intercept risky commits: Pre-receive hook to reject dangerous pushes.
    •  
  • Comprehensive scan of legacy code: Repository scanning to analyze previously committed code.
    •  
  • Unique rules for every level: Hook can be enabled per repository, per project, or globally.
    •  
  • Built-in rules: for many common vulnerabilities, such as ssh keys and API tokens.
    •  
  • Custom rules: Define your own custom scanning rules, globally or on a per-repository level.

More Information

Security for Bitbucket is already widely used and has an established track record of spotting vulnerabilities buried deep in source code that can easily be missed. See some additional examples on our documentation site:

Try it free right now

You can find Security for Bitbucket on the Atlassian Marketplace.

Your Bitbucket administrator can start plugin installation with a single mouse click and you can experience the benefits of Security for Bitbucket yourself, and stop worrying about lurking vulnerabilities in your source code.

     
  1. Log into your Bitbucket instance as an admin and choose Add-ons, or go to the Atlassian Marketplace.
    2.  
  2. Locate Security for Bitbucket and click Try it free.
    3.  
  3. You’re all set! Click Close in the Installed and ready to go dialog.

Security for Bitbucket supports server, and data center deployments.