The Security Scan Report: Viewing Bitbucket's Overall Security Status
Bitbucket hosts thousands of repositories with numerous branches, each with the potential to contain vulnerabilities. The Security Scan Report provides a central security dashboard for Bitbucket administrators as well as any user who's been granted explicit access. Security scans can be performed on a per-branch basis from the scan page.
The Security Scan Report allows users to view scan report results of all Bitbucket projects, repositories and branches, starting from a high-level project overview which can be broken down into a per-repository and then per-branch basis. This page is available for global administrators and and anyone given explicit permission. It can be accessed from Bitbucket’s Administration page or from the main Bitbucket toolbar:
You can get status from the project level, down through the repository and branch level.
By default, list of regular projects is displayed, but you can show them all or filter personal projects only using the Project type filter.
The project status bar breaks down the status of each repository in Bitbucket, which is tied to the status of each branch. Hovering over this bar will show you the exact breakdown, with each color representing the following:
Secure: repository is considered secure (i.e. all branches have been scanned for vulnerabilities and none were found).
Vulnerable: Vulnerabilities found in at least one branch of the repository.
Not Scanned: Repository has not been scanned.
Partially Scanned: Some branches were scanned and secure, but every branch has yet to be scanned.
Outdated: All repository branches were scanned, but new commits have been made so the results are considered outdated.
Hovering over the status bar will show you the exact breakdown for each status:
Further, you can click any project name to drill down into into details at the repository level.
The repository status bar breaks down the overall status of the repository for the selected project. The overall status is tied to the individual status of each branch. Hovering over this bar will show you the exact breakdown, with each color representing the following:
Secure: Branch is considered secure (i.e. all latest changes have been scanned for vulnerabilities and none were found).
Vulnerable: Vulnerabilities found in the branch.
Not Scanned: Branch has not been scanned.
Outdated: The branch was scanned before, but new commits were made after the last scan was performed, so its security status is outdated (enabling the hook can fix this).
If branch has been scanned before, you can expand it to see the following scan details:
Last commit: When the last commit was made to the branch.
Last scan started: When the branch was last scanned.
Last scan duration: How long it took for the last scan to take place.
The Scan Status column has the following potential values:
Not Scanned: The branch hasn’t ever been scanned, security status is unknown.
Queued: The scan is scheduled, but has not started yet.
Scanning: The scan is in progress.
Up To Date: The latest version of code has been successfully scanned.
Scanned X Commits Ago: Scanned, but new changes were made after, so scan results are outdated.
Cancelled: Scan was started and then cancelled by user.
Internal Error: Some error was occurred during last scan, see Bitbucket log for details.
You can trigger scan of any branch, repository or project by clicking on the Actions menu on the edge of a table row. There are two options:
Scan outdated: schedule scanning of all unscanned branches, or branches that have advanced since last scan
Rescan all: force rescan of all existing branches
If you trigger rescan on a repository, all existing branches of the selected repository will be scheduled for rescan. For a project, all branches of all repositories of that project will be scanned. You can monitor the progress of the batch scan using the Scan Queue dropdown. You can also trigger a full Bitbucket rescan with a REST-call.
On the top-right you can find a drop down menu with the list of active scans. It gives an overview of running and scheduled scans for all projects / repositories / branches.
You can open detailed scan page by scan link, which is displayed in the following format:
ProjectName / RepositoryName : BranchName
Item tooltip shows how long ago scan was added / started. You can cancel any scheduled or running scan from this list one by one, or reset them all with one button click.
By default Security for Bitbucket runs 2 bulk scans simultaneously, all consequent scans will be added to a wait-queue. If you need you can customize maximum number of parallel scans using a REST-call.
When using Bitbucket Data Center, the repository scan is performed on a node, where you are served from, but the results on a Security Scan Report page are global / same for the whole cluster.
Some scan stats, like number of outdated repositories, are updated with each commit, so if you disable the plugin these stats may become outdated.
You can enable debug logging for a plugin to see the details of performed scans in Bitbucket's logs.