The Security Scan Report allows users to view scan report results of all Bitbucket projects, repositories, and branches, starting from a high-level project overview which can be broken down into a per-repository and then a per-branch basis. This page is available for global administrators and anyone given explicit permission. It can be accessed from Bitbucket’s Administration page:

or from the main Bitbucket toolbar:

Statuses

You can get status from the project level, down through the repository and branch level. Some of these stats (like number of outdated repositories) are updated with each commit, so if you disable the plugin, they may become outdated.

Top level

By default, a list of regular projects is displayed, but you can show all projects or just the personal projects by using the Project type dropdown.

The project status bar breaks down the status of each repository in that project, which in turn is tied to the status of each branch. Each color represents the following:

  • Secure: Repository is considered secure – all branches have been scanned for vulnerabilities and none were found.

  • Vulnerable: Vulnerabilities found in at least one branch of a repository.

  • Not Scanned: Repository has not been scanned.

  • Partially Scanned: Some branches were scanned and secure, but not every branch has been scanned in a repository.

  • Outdated: All repository branches were scanned, but either new commits have been made, or scanning configuration has changed, so the results are considered outdated for at least one branch.

Hovering over a project’s status bar will show you the number of repositories in each status:

Further, you can click any project name to drill down into into details at the project level.

Project level

At the project level, statuses for each repository in the project are shown.

Each repository status bar breaks down the overall status of the corresponding repository. This overall status is comprised of the individual statuses of each branch in that repository. Hovering over this bar will show you the exact breakdown, with each color representing the following:

  • Secure: Branch is considered secure – all of the latest changes have been scanned for vulnerabilities and none were found.

  • Vulnerable: Vulnerabilities have been found in the branch.

  • Not Scanned: Branch has not been scanned.

  • Outdated: Branch was scanned before, but either new commits were made or scan configuration changed after the last scan was performed, so its security status is outdated.

Further, you can click any repository name to drill down into details at the repository level.

Repository level

At the repository level, statuses for each branch in the repository are shown.

If a branch has been scanned before, you can expand it to see the following scan details:

  • Last commit: When the last commit was made to the branch.

  • Last scan started: When the branch was last scanned.

  • Last scan duration: How long it took for the last scan to take place.

The Scan Status column has the following potential values:

  • Not Scanned: The branch hasn’t ever been scanned, security status is unknown.

  • Queued: The scan is scheduled, but has not started yet.

  • Scanning: The scan is in progress.

  • Up To Date: The latest version of code has been successfully scanned.

  • Scanned X Commits Ago: Scanned, but new changes were made after, so scan results are outdated.

  • Settings Changed: Scanned, but afterward, the scan become outdated because at least one of the following happened:

    • changes were made to soteri-security.yml on the default branch,

    • a built-in rule was toggled, or

    • a custom rule was toggled or edited.

  • Cancelled: Scan was started and then cancelled by user.

  • Internal Error: Some error was occurred during last scan; see the Bitbucket log for details. If necessary, contact our support team by opening a support ticket in our support portal.

Clicking on the number of vulnerabilities found for a given branch (or the gray hyphen if the branch has yet to be scanned) will take you to its Branch Scan Report.

Sorting results

In each of the top level, project level, and repository level scan reports, the rows can be sorted both by name (in the normal alphabetic order) and by the number of vulnerabilities found (from most to least).

To sort by name, simply click on the Project, Repository, or Branch column header as appropriate. To sort by the number of vulnerabilities, click on the Vulnerabilities Found column header.

Bulk scanning

You can trigger a scan of any branch, repository, or project in many ways. One way is by clicking on the Actions menu on the edge of a table row, which will reveal two options:

  • Scan: schedule scanning of each branch which has not been scanned, has further commits since last scan, or has been outdated by settings changes since last scan, and

  • Rescan: force rescan of all existing branches.

If you trigger a rescan on a repository, all existing branches of the selected repository will be scheduled for rescan. For a project, all branches of all repositories of that project will be scanned.

Alternately, at the top level, you can use the Scan Whole Instance button visible in the upper-right of the page to trigger scans for each project in your Bitbucket instance. (Triggering a full Bitbucket rescan can also be accomplished with a REST call.)

At the Project level, you can use the Scan All button to trigger scans for each repository in that project. If you’ve filtered the repositories via the Visibility dropdown and/or by name, this button will change to Scan Selected, which will trigger scans for only those repositories matching the criteria.

At the Repository level, you can also use the Scan All button to trigger scans for each branch in that repository. If you’ve filtered the branches by name, this button will change to Scan Selected, which will trigger scans for only those branches matching the criterion.

You can monitor the progress of all scheduled scans using the Scan Queue dropdown, discussed next.

Scan Queue

In the upper-right of each Security Scan Report page, there is a drop down menu with the list of active scans. This gives an overview of running and scheduled scans for all projects / repositories / branches.

By clicking on a scan link (displayed in the format ProjectName / RepositoryName : BranchName), you can open its Branch Scan Report.

Item tooltips show how long ago each scan was added / started. You can cancel any scheduled or running scan from this list one by one, or reset them all with one button click.

Performance Information

For more information on scanning performance, see Scan Performance Tuning.