By default, Security for Bitbucket enforces the following permissions:
Bitbucket Administrators can configure Security for Bitbucket and access the global Security Scan Report.
Anyone with Repository Write access can access the Scan Report for that repository.
Project administrators may use the REST API to trigger scans for all repositories in a project, and fetch the results.
You may give additional users the ability to view the Security Scan Report and access Security for Bitbucket configuration. These users will also be able to trigger scans and view results for projects and repositories.
Even if a user is granted access to the global Security Scan Report, they will only see repositories for which they have Read permissions.
Administrators may grant access as follows:
Go to to Administration → Add-Ons → Security for Bitbucket Settings page.
Under Scan Page access add the user or group which you would like to gain access to the global settings and reports
The user or group will now be able to access the reports page as well as the Security for Bitbucket Settings page.