Bitbucket
Overview
Visualize and analyze Bitbucket resources, including repositories, pipelines, branches, and pull requests. Monitor resource visibility, governance, and secure access management. Automate workflows and track code quality across repositories and pipelines. Identify and mitigate vulnerabilities to ensure the integrity and security of your Bitbucket environment.
Configurations
| Configuration | Description |
|---|---|
| Blueprint Account Name | A human-readable name for your account that will be used to identify this account across the application. |
| Workspace Access Token | Bitbucket Workspace Access Token with the necessary permissions. |
| Workspace Name | Workspace Identifier. You can quickly identify your workspace ID by checking the URL (https://bitbucket.org/<workspace_id>) you use to access your workspace. |
| Data Crawl Frequency | The frequency at which Kscope will crawl the account for resources. |
| Event Crawl Frequency | The frequency at which Kscope will crawl the account for events. |
| Resource Selection | Selectively include or exclude certain resources, such as repositories, based on their type. |
Permissions
The Bitbucket blueprint requires an App Password which you can create by clicking here. Please ensure that you give the app password a descriptive name and select the required permissions listed below.
Required Permissions:
Data Crawl
repository:readproject:readaccount:read
Secret Scan
repository:read
Remediation
repository:readrepository:writepullrequest:readpullrequest:write
Permission Details:
| Permission | Why it's needed |
|---|---|
account:read | Access basic account information and user details |
repository:read | Read repository content, metadata, branches, and pull requests |
repository:write | Create branches and push commits for remediation pull requests |
project:read | Access project information and organization structure |
pullrequest:read | Read pull request information |
pullrequest:write | Create pull requests for remediation actions |
For more information about Bitbucket permissions, refer to the official documentation: Bitbucket Permissions Documentation
Remediation
The Bitbucket blueprint supports automated remediation through pull request creation. This provides a human-in-the-loop workflow where changes are proposed via PRs that must be reviewed and merged manually.
Supported Remediation Types
| Type | Description |
|---|---|
fix-secrets | Remove hardcoded secrets and replace with environment variable references |
update-dependency | Update package versions in dependency files to address vulnerabilities |
add-security-policy | Add security policy files (SECURITY.md, CODEOWNERS, etc.) |
How It Works
- Detection: Kscope identifies security issues during data crawls (hardcoded secrets, vulnerable dependencies, missing policies)
- Remediation Request: A remediation action is triggered with the appropriate fix
- Pull Request Creation: The system creates a branch and opens a pull request with the proposed changes
- Human Review: A team member reviews the PR to verify the changes are correct
- Merge: The PR is merged to apply the fix
Security Considerations
- All changes go through Pull Requests - no direct commits to protected branches
- Full audit trail through Git history
- Changes can be easily reverted if needed
- Human approval required before any changes are applied
SBOM Generation
The Bitbucket blueprint includes SBOM (Software Bill of Materials) generation for repositories. This provides comprehensive vulnerability scanning and dependency analysis for source code and applications.
For information about supported languages and package managers for SBOM generation, see: SBOM
Schema Model
| Resources | Source Entity | Normalized Entity | Description |
|---|---|---|---|
| Bitbucket | bitbucket | Service | Bitbucket Service |
| Workspace | bitbucket.workspace.Workspace | Workspace | Bitbucket Workspace |
| Project | bitbucket.project.Project | Project | Bitbucket Project |
| Projects | bitbucket.project.Projects | Project | Bitbucket Projects |
| User | bitbucket.user.User | User | Bitbucket User |
| Users | bitbucket.user.Users | User | Bitbucket Users |
| Repository | bitbucket.repository.Repository | Repository | Bitbucket Repository |
| Repositories | bitbucket.repository.Repositories | Repository | Bitbucket Repositories |
| Pipeline | bitbucket.repository.Pipeline | Pipeline | Bitbucket Pipeline |
| State | bitbucket.repository.State | State | Bitbucket State |
| Result | bitbucket.repository.Result | Result | Bitbucket Result |
| Target | bitbucket.repository.Target | Target | Bitbucket Target |
| PipelineStep | bitbucket.repository.PipelineStep | PipelineStep | Bitbucket Pipeline Step |
| Command | bitbucket.repository.Command | Command | Bitbucket Command |
| Finding | sca.secretscan.Finding | Vulnerability | secret detected by gitleak |