REST API for Mass Scanning
This documentation does not include all REST API endpoints. Please contact support if you need REST API access not documented here. All REST API endpoints are available in the REST API Browser.
Triggering a full Bitbucket rescan
You can schedule re-scan of all data on your Bitbucket with a single REST-call like this:
curl -u admin -X PUT "https://{bitbucket.server}/rest/security/latest/status/total_rescan?force=false{&email=admin@company.co}"
admin
is your Bitbucket admin user (you’ll be prompted for a password).This action requires either Bitbucket admin permissions or explicitly granted Security for Bitbucket permissions.
bitbucket.server
is URL of your Bitbucket serverforce
controls whether already scanned and up-to-date branches will be rescanned. Can betrue
orfalse
.email
is an optional parameter that may be specified multiple times. Once the scan is completed, an email notification will be sent to the specified email addresses.e.g.
email=admin1@company.co&email=admin2@company.co
You can monitor progress of scanning on the Security Scan Report page.
Please note that if you have a large Bitbucket instance, all existing branches in all projects and repositories will be scanned, which may be very resource-consumptive and may take a long time to complete.
Scanning a project
To scan all the branches of all the repositories in a project:
curl -u admin -X PUT "https://{bitbucket.server}/rest/security/latest/status/projects/{projectKey}?force=false{&email=admin@company.co}"
admin
is your Bitbucket admin user (you’ll be prompted for a password)This action requires project administrator permissions or higher (Bitbucket admin, explicitly granted Security for Bitbucket permissions).
bitbucket.server
is URL of your Bitbucket serverprojectKey
is the key of the project to be scannedforce
controls whether already scanned and up-to-date branches will be rescanned. Can betrue
orfalse
email
is an optional parameter that may be specified multiple times. Once the scan is completed, an email notification will be sent to the specified email addresses.e.g.
email=admin1@company.co&email=admin2@company.co
Scanning a repository
To scan all the branches of a single repository:
curl -u admin -X PUT "https://{bitbucket.server}/rest/security/latest/status/projects/{projectKey}/repos/{repoSlug}?force=false{&email=admin@company.co}"
admin
is your Bitbucket admin user (you’ll be prompted for a password)This action requires repository write permissions or higher.
bitbucket.server
is URL of your Bitbucket serverprojectKey
is the key of the project to be scannedrepoSlug
is the slug (identifier) of the repository to be scannedforce
controls whether already scanned and up-to-date branches will be rescanned. Can betrue
orfalse
email
is an optional parameter that may be specified multiple times. Once the scan is completed, an email notification will be sent to the specified email addresses.e.g.
email=admin1@company.co&email=admin2@company.co
Scanning a branch
To scan a single branch in a repository:
curl -u admin -X PUT "https://{bitbucket.server}/rest/security/latest/status/projects/{projectKey}/repos/{repoSlug}/branches?name={branch}&force=false{&email=admin@company.co}"
admin
is your Bitbucket admin user (you’ll be prompted for a password)This action requires repository write permissions or higher.
bitbucket.server
is URL of your Bitbucket serverprojectKey
is the key of the project to be scannedrepoSlug
is the slug (identifier) of the repository to be scannedbranch
is the name of the branch to be scanned.force
controls whether already scanned and up-to-date branches will be rescanned. Can betrue
orfalse
email
is an optional parameter that may be specified multiple times. Once the scan is completed, an email notification will be sent to the specified email addresses.e.g.
email=admin1@company.co&email=admin2@company.co
Parallel Scans
See Scan Performance Tuning for details on how to adjust scan performance settings, like the number of scans run in parallel.
Cancelling Scans
To cancel queued (not started) scans:
curl -u admin -X DELETE https://{bitbucket.server}/rest/security/latest/status/scheduled
To cancel started (currently scanning) scans:
curl -u admin -X DELETE https://{bitbucket.server}/rest/security/latest/status/running
Exporting detected vulnerabilities
To export the full list of detected vulnerabilities from all projects, repositories and branches use the following command:
curl -u admin -o report.zip https://{bitbucket.server}/rest/security/latest/export-report?confirmExpensiveOperation=true
It will save vulnerabilities into report.zip
file in a working directory. Note, that this may be very time and resource consumptive if you have many repositories or many detected vulnerabilities, so Bitbucket performance can be affected significantly.
To export vulnerabilities only for a selected project / repository / branch, use these requests:
curl -u admin https://{bitbucket.server}/rest/security/latest/export-report/projects/<PROJECT_KEY>
curl -u admin https://{bitbucket.server}/rest/security/latest/export-report/projects/<PROJECT_KEY>/repos/<REPOSITORY_SLUG>
curl -u admin https://{bitbucket.server}/rest/security/latest/export-report/projects/<PROJECT_KEY>/repos/<REPOSITORY_SLUG>?branch=<BRANCH_NAME>