All secrets detected by a security scan should be considered compromised. Once a secret is committed, it is indexed by Bitbucket, and anyone with read access to the repository, project, or the whole Bitbucket instance could have obtained a copy. Scrubbing the secret from git history doesn’t sufficiently remediate risk.

Soteri recommends to:

  • Change the secret.

    • If a password is found, change it.

    • If an access token is found, generate a new access token and update your services to use the new token. Once all your services have been updated, revoke the old token.

  • Delete the secret from code. Secrets in code, revoked or not, send the signal to code contributors that secrets can be committed to code.

  • Enable Security For Bitbucket’s pre-commit hook. This is the best way to ensure that secrets don’t end up in Bitbucket again.