Exporting a report for external use
For offline viewing and processing of security findings generated by Security for Bitbucket, you can export them to a csv
file. This file will contain the following columns, most of which are self-explanatory:
Project
Repository
Branch
Commit
File
Line number
Match text: The exact match text of the finding. This can be used to review the finding; see Hiding false positives, revoked credentials, etc..
Rule
Allowlisted
Reviewed: see Hiding false positives, revoked credentials, etc.
Globally reviewed: see Hiding false positives, revoked credentials, etc.
Scan date: Date the finding was scanned, in ISO8601 format and UTC timezone.
Full text: The complete text of the line, or, if it is too long, then only the specific text that triggered the finding.
If the “Include full finding text in exported reports” setting is disabled, the file will contain the following columns:
Project
Repository
Branch
Commit
File
Line number
URL: A link to the code location of the finding in Bitbucket.
Rule
Allowlisted
Reviewed: see Hiding false positives, revoked credentials, etc.
Globally reviewed: see Hiding false positives, revoked credentials, etc.
Scan date: Date the finding was scanned, in ISO8601 format and UTC timezone.
Line offset start: The offset of where the finding begins in the line. Will never be empty. This allows you to derive the specific text of the finding if you have read access to the repository.
Line offset end: The offset of where the finding ends in the line. Will never be empty. This allows you to derive the specific text of the finding if you have read access to the repository.
You can export scan results using one of a few ways, each of which is described below.
Exporting a single branch via the Branch Security Analysis
To export the findings from a single branch, first navigate to the Security Analysis for the branch in question. Then click the Export button in the top right corner of the report:
Exporting from a Dashboard
From the Global, Project-level, and Repository-level Dashboards, there are two primary approaches to exporting scan findings.
Using the Dashboard’s Export Dropdown
An Export dropdown is visible in the upper-right of each dashboard. Depending on which dashboard and view level, the relevant option will appear as one of the following:
Repository Scan Results
Project Scan Results
All Scan Results (only available from the Global Dashboard)
One example is shown below:
When exporting a repository, the generated report will contain the results found in all branches of that repository.
When exporting a project, the generated report will contain the results found in all branches of all repositories of that project.
When exporting all projects, the generated report will contain all results found in all projects in the Bitbucket instance. The resulting zip
file will contain one csv
file per project. Any projects which have no scan findings are excluded.
Export All Scan Results can run for a long time. Cancelling the download while it is in process is not recommended.
Using the Actions menu
From any dashboard, navigate to the desired level view, click the Actions dropdown menu, and select the Export item as shown below:
Branches which point to the same commit: Note that when more than one branch points to the same git commit, only scan findings for the first branch, alphabetically, will be exported.
Exporting findings via a REST call
You may also use various REST calls to export findings of any given branch, repository, project, or the whole Bitbucket instance.
Redacting findings in exported reports
If you want to keep the full text of findings from appearing in exported reports, you can disable the Include full finding text in exported reports setting in the plugin settings page:
Disabling this option will remove the Text column from CSV exports, and will add a URL column that contains the URL location of the finding.