/
Security App for Bitbucket || Existing App features

Security App for Bitbucket || Existing App features

Owned by Naveen Kumar C
Last updated: Nov 26, 2024
3 min read

Security for Bitbucket Data Center - Feature Documentation

Overview

Sensitive information such as API keys, passwords, private keys, and access credentials can inadvertently be committed to Git repositories. Bitbucket lacks a built-in mechanism to detect and block such commits, leaving organizations vulnerable to serious security risks. Malicious users or external attackers could exploit these vulnerabilities, leading to privilege escalation and compromising critical systems.

Security for Bitbucket Data Center bridges this gap by providing an integrated solution to detect, block, and manage sensitive information within repositories. It actively scans and secures repositories, protecting your development workflow from credential leaks.

Key Features

1. Pre-Receive Hook for Commit Blocking

  • Automatically scans all code during git push.

  • Blocks commits containing sensitive information, such as:

    • API keys.

    • SSH keys.

    • Private credentials.

  • Flexible options:

    • Block Mode: Prevents commits with flagged content.

    • Warn Mode: Allows commits but notifies the user and administrator of potential vulnerabilities.

2. Full-Content Scanning

  • Trigger scans for:

    • Individual repositories.

    • Entire projects.

    • The entire Bitbucket instance.

  • Analyze existing codebases for previously committed secrets.

  • Detailed reports highlight vulnerable content and provide remediation recommendations.

3. Built-In Detection Rules

  • Includes preconfigured rules for detecting commonly leaked sensitive data:

    • API tokens (e.g., AWS, Azure, Google Cloud).

    • SSH private keys.

    • Passwords.

    • Database connection strings.

  • Regular updates ensure protection against emerging threats.

4. Customizable Rules

  • Add custom scanning rules using regex patterns.

  • Enable or disable built-in rules globally or per repository.

  • Customize rules per project or repository to suit organizational needs.

5. Security Analysis Dashboard

  • Centralized dashboard to view and manage scan results:

    • Repository and project-level insights.

    • Detected vulnerabilities categorized by type and severity.

    • Detailed scan logs with timestamps.

  • Export findings for compliance or further analysis.

6. Reporting

  • Generate and download detailed reports of scan findings.

  • Document remediation actions for audit trails.

7. REST API for Scripting and Automation

Integration and Authentication

  • Integrates with Bitbucket Server or Data Center for automated security workflows.

  • Supports Basic HTTP Authentication for secure API access.

Pre-Receive Hook Management

  • For Repositories:

    • Enable/disable security hooks at the repository level to block or warn about vulnerable commits.

    • Reset settings to inherit project-level configurations.
      Example:

      curl -u admin -X PUT -H "Content-Type: application/json" \ --data '{"warnOnVulnerabilities":false}' \ https://{bitbucket.server}/rest/api/latest/projects/{projectKey}/repos/{repoSlug}/settings/hooks/com.mohami.bitbucket.security-for-bitbucket:credentials-validation-hook/enabled

       

  • For Projects:

    • Apply security hooks to all repositories in a project. Example:

      curl -u admin -X PUT -H "Content-Type: application/json" \ --data '{"warnOnVulnerabilities":false}' \ https://{bitbucket.server}/rest/api/latest/projects/{projectKey}/settings/hooks/com.mohami.bitbucket.security-for-bitbucket:credentials-validation-hook/enabled

       

Fetch Security Status

  • Retrieve scan results for:

    • Projects: View results for individual or multiple projects.
      Example:

      curl -u admin https://{bitbucket.server}/rest/security/latest/status/projects/{projectKey}

       

    • Repositories: Fetch scan details for one or more repositories within a project.
      Example:

       

    • Branches: View scan results for repository branches.
      Example:

Customizable Behavior

  • Adjust hook settings to block or warn about commits with vulnerabilities.

  • Manage scanning rules at repository or project levels.

8. Seamless Integration

  • Works seamlessly with Bitbucket Data Center.

  • Configurable globally, per project, or per repository.

  • Lightweight and efficient, ensuring minimal impact on performance.

Modes of Operation

1. Pre-Receive Hook

  • Scans all incoming commits before they are pushed to the repository.

  • Blocks commits containing sensitive information in Block Mode.

  • Notifies users of potential risks in Warn Mode.

2. Full-Content Scanning

  • Scans entire repositories for historical vulnerabilities.

  • Can be triggered at:

    • Repository level.

    • Project level.

    • Global (entire instance) level.

  • Produces detailed reports of identified secrets and vulnerabilities.

 

Supported Secrets and Keys

Security for Bitbucket detects a wide range of sensitive data, including but not limited to:

  • AWS and Azure API keys.

  • Google Cloud credentials.

  • SSH private keys.

  • Database connection strings.

  • OAuth tokens.

  • Passwords and login credentials.

Example of a blocked push

Opens image in full screenOpen