Bitbucket hosts thousands of repositories with numerous branches, each with the potential to contain vulnerabilities. The Security Scan Report provides a central security dashboard for Bitbucket administrators as well as any user who's been granted explicit access. Security scans can be performed on a per-branch basis from the scan page.

The Security Scan Report allows users to view scan report results of all Bitbucket projects, repositories and branches, starting from a high-level project overview which can be broken down into a per-repository and then per-branch basis. This page is available for global administrators and and anyone given explicit permission. It can be accessed from Bitbucket’s Administration page or from the main Bitbucket toolbar:

Statuses

You can get status from the project level, down through the repository and branch level. Some of these stats (like number of outdated repositories), are updated with each commit, so if you disable the plugin, they may become outdated.

Project level

By default, list of regular projects is displayed, but you can show them all or filter personal projects only using the Project type filter.

The project status bar breaks down the status of each repository in Bitbucket, which is tied to the status of each branch. Hovering over this bar will show you the exact breakdown, with each color representing the following:

  • Secure: repository is considered secure (i.e. all branches have been scanned for vulnerabilities and none were found).

  • Vulnerable: Vulnerabilities found in at least one branch of the repository.

  • Not Scanned: Repository has not been scanned.

  • Partially Scanned: Some branches were scanned and secure, but every branch has yet to be scanned.

  • Outdated: All repository branches were scanned, but either new commits have been made, or scanning configuration has changed, so the results are considered outdated.

Hovering over the status bar will show you the exact breakdown for each status:

Further, you can click any project name to drill down into into details at the repository level.

Repository level

The repository status bar breaks down the overall status of the repository for the selected project. The overall status is tied to the individual status of each branch. Hovering over this bar will show you the exact breakdown, with each color representing the following:

  • Secure: Branch is considered secure (i.e. all latest changes have been scanned for vulnerabilities and none were found).

  • Vulnerable: Vulnerabilities found in the branch.

  • Not Scanned: Branch has not been scanned.

  • Outdated: The branch was scanned before, but either new commits were made or scan configuration changed after the last scan was performed, so its security status is outdated.

Branch level

If branch has been scanned before, you can expand it to see the following scan details:

  • Last commit: When the last commit was made to the branch.

  • Last scan started: When the branch was last scanned.

  • Last scan duration: How long it took for the last scan to take place.

The Scan Status column has the following potential values:

  • Not Scanned: The branch hasn’t ever been scanned, security status is unknown.

  • Queued: The scan is scheduled, but has not started yet.

  • Scanning: The scan is in progress.

  • Up To Date: The latest version of code has been successfully scanned.

  • Scanned X Commits Ago: Scanned, but new changes were made after, so scan results are outdated.

  • Settings Changed: Scanned, but afterward, the scan becomes outdated because at least one of the following happened:

    • changes were made to soteri-security.yml on the default branch,

    • a built-in rule was toggled, or

    • a custom rule was toggled or its regexp was edited.

  • Cancelled: Scan was started and then cancelled by user.

  • Internal Error: Some error was occurred during last scan, see Bitbucket log for details. If necessary, contact our support team by opening a support ticket in our support portal.

Sorting results

In each of the project level, repository level, and branch level scan reports, the rows can be sorted both by name (in the normal alphabetic order) and by the number of vulnerabilities found (from most to least).

To sort by name, simply click on the Project, Repository, or Branch column header as appropriate. To sort by number of vulnerabilities, click on the Vulnerabilities Found column header.

Bulk scanning

You can trigger scan of any branch, repository or project by clicking on the Actions menu on the edge of a table row. There are two options:

  • Scan outdated: schedule scanning of all unscanned branches, or branches that have advanced since last scan

  • Rescan all: force rescan of all existing branches

If you trigger rescan on a repository, all existing branches of the selected repository will be scheduled for rescan. For a project, all branches of all repositories of that project will be scanned. You can monitor the progress of the batch scan using the Scan Queue dropdown. You can also trigger a full Bitbucket rescan with a REST call.

Scan Queue

On the top-right you can find a drop down menu with the list of active scans. It gives an overview of running and scheduled scans for all projects / repositories / branches.

You can open detailed scan page by scan link, which is displayed in the following format:
ProjectName / RepositoryName : BranchName

Item tooltip shows how long ago scan was added / started. You can cancel any scheduled or running scan from this list one by one, or reset them all with one button click.

Performance Information

For more information on scanning performance, see Scan Performance Tuning.