Overview

It's a significant risk in the software development environment – any user can check in sensitive information such as passwords, public keys, access keys, etc., in cleartext, right into a git repository.

Bitbucket doesn’t catch that. It has no built-in mechanism to detect and block a commit that contains sensitive credentials that could fall into the wrong hands; the typical developer workflows make this an all-too-easy omission even by well intentioned users.

This poses an enormous security risk as this information could be passwords for network devices, private keys, or even personal credentials for highly sensitive systems. This can lead to privilege escalation, either by malicious users who have network access to the Bitbucket server, or by an external attacker who has bridged perimeter security.

Our application integrates with Bitbucket to actively detect and block attempts to check in sensitive information, accidental or otherwise.

Modes of Operation

Security for Bitbucket scanning can be triggered two ways:

A pre-receive hook can scan all code being pushed into Bitbucket, as described here. Code with failures can be blocked or simply produce a warning.
Full-content scans can be triggered on a per-repository or global basis, and can produce reports which can be exported.

Scan customization

Security for Bitbucket scanning can be customized in a few different ways:

The built-in rules can be enabled or disabled globally
Custom regex rules can be added globally
Each repository can add its own custom rules, or disable global ones (if enabled by admin)
Allow-listing can be used to reduce false positives

Supported Secrets & Keys

List of current vulnerabilities that are detected by Security for Bitbucket.

Rule Name	Description
`AWS_CLIENT_ID`	AWS Identity and Access Management Client IDs uniquely reference users, access keys. These unique IDs can provide access to your AWS instance by allowing users to get keys.
`AWS_MWS_KEY`	AWS Marketplace Web Service API Keys allow programmatic interfaces to Amazon Seller stores.
`AWS_SECRET_ACCESS_KEY`	AWS Secret Access Keys allow for authenticated AWS CLI, SDK, and API access.
`AZURE_ACCESS_KEY`	Azure Access Keys provide access to all data stored in Microsoft Azure.
`DYNATRACE_CLIENT_SECRET`	Dynatrace Client Secrets allow for access to you Dynatrace instance API.
`EC_PRIVATE_KEY`	Elliptical Curve Private Keys - We detect many common SSH Private Key formats.
`FACEBOOK_CLIENT_ID`	Facebook Application IDs
`FACEBOOK_SECRET_KEY`	Facebook Application Secrets
`GENERIC_API_KEY`	Generic API Key - Contains logic to detect generic API Keys.
`GENERIC_PASSWORD`	Generic Passwords - Contains logic to detect generic passwords. Note that this rule may generate many false positives, and is disabled by default.
`GENERIC_SECRET`	Generic Secrets - Contains logic to detect generic secrets.
`GITHUB_KEY`	Github Authentication Tokens - This rule detects Github Authentication Tokens for personal use as well as for Github Application OAuth.
`GOOGLE_API_KEY`	Google API Keys
`GOOGLE_OAUTH`	Google OAuth URLs
`GOOGLE_OAUTH_ACCESS_TOKEN`	Google OAuth Tokens
`HEROKU_API_KEY`	Heroku API Keys
`LINKEDIN_CLIENT_ID`	LinkedIn Client IDs
`LINKEDIN_CLIENT_SECRET`	LinkedIn Client Secrets
`MAILCHIMP_API_KEY`	Mailchimp API Key
`MAILGUN_API_KEY`	Mailgun API Key
`PASSWORD_IN_URL`	Generic Password in URL - Contains logic to detect passwords embedded in URLs
`PAYPAL_BRAINTREE_ACCESS_TOKEN`	Paypal's Braintree Access Token
`PGP_PRIVATE_KEY`	PGP Private Keys
`PKCS8_PRIVATE_KEY`	PKSC8 Private Keys - We detect many common SSH Private Key formats.
`PYPI_UPLOAD_TOKEN`	Python Package Index (PyPI) Upload Tokens allow verified publishing of python package to the global repository.
`RSA_PRIVATE_KEY`	We detect many common SSH Private Key formats.
`SENDGRID_API_KEY`	Sendgrid API Keys
`SHOPIFY_PARTNER_API_ACCESS_TOKEN`	Shopify Partner API access Tokens provide access to the a given store's API.
`SHOPIFY_SECRETS`	Shopify API Secrets give access to all aspects of the general Shopify API – this rule contains logic to detect Shared Secrets and Access Tokens for regular, Custom, and Private applications.
`SLACK`	Slack API Tokens give access to various API features.
`SLACK_WEBHOOK`	Slack Webhooks are secret URLs which give similar access as API Tokens.
`SQUARE_ACCESS_TOKEN`	Square Access Tokens
`SQUARE_OAUTH_SECRET`	Square OAuth Secrets
`SSH_PRIVATE_KEY`	Generic SSH Private Key - We detect many common SSH Private Key formats.
`SSH_PUBLIC_KEY`	Public Key-half of key-based authentication. Weak public keys can be brute-force cracked by modern computers, and can represent equal vulnerability to the private-key half of the pair. Since properly-generated public keys are not a threat, this rule is disabled by default.
`STRIPE_API_KEY`	Stripe API Key
`TWILIO_ACCOUNT_ID`	Twilio Account ID - part of the Twilio API
`TWILIO_API_KEY`	Twilio API Key - part of the Twilio API
`TWITTER_CLIENT_ID`	Twitter Client ID
`TWITTER_SECRET_KEY`	Twitter Secret Key