With Security for Bitbucket, you can disable security rules if a certain rule doesn’t fit the needs of your organization. The rules can only be enabled and disabled by Bitbucket administrators or anyone that's been granted explicit access.
To configure scanning rules, access the settings page. The built-in rules area appears near the bottom as shown:
If a scan with no findings has been completed prior to toggling a rule, that scan will have a status of “settings changed” and be counted as “outdated” in repository and project statistics.
Who changed rules and when can be audited using the Audit Log. More information can be found in Viewing Audited Events.