Defining Global Custom Detection Rules
Please make sure the rules you add aren’t too broad, as they can impact the performance of Bitbucket.
Security for Bitbucket allows for creation of custom scanning rules using regular expressions. The rules can only be created, enabled or disabled by Bitbucket Administrators or anyone that's been granted explicit access.
To create a rule, go to Administration → Security for Bitbucket Server → Security Validation Rules → Custom Rules. Alternatively, you may reach the configuration by clicking the gear icon on the Security Scan Report:
Global custom rules in the Security For Bitbucket settings.
Our application uses the built-in JDK java regex library (Java 8), which you can compare to other regex engines here.
If a secret on a single line matches more than one rule (built-in, custom, or a per-repository rule), only the first match will be reported.
Here are some example rules:
Bitcoin Address
^[13][a-km-zA-HJ-NP-Z0-9]{26,33}$ Youtube Links
<a\s+(?:[^>]*)href=\"((?:https|http):\/\/\w{0,3}.youtube+\.\w{2,3}\/watch\?v=[\w-]{11})">(?:.*?)<\/a>