Exporting a Security Scan Report for External Use

For offline viewing and processing of security findings generated by Security for Bitbucket, you can export them to a csv file. This file will contain the following columns, most of which are self-explanatory:

1. Project

2. Repository

3. Branch

4. Commit

5. File

6. Line number

7. Text: The complete text of the line, or, if it is too long, then only the specific text that triggered the finding (see “Line offset start” and “Line offset end” below).

8. Rule

9. Allowlisted

10. Reviewed

11. Line offset start: The offset of where the finding begins in the “Text” column. Can be empty if the line was too long and “Text” only contains the specific text of the finding.

12. Line offset end: The offset of where the finding ends in the “Text” column. Can be empty if the line was too long and “Text” only contains the specific text of the finding.

If the “Include full finding text in exported reports” setting is disabled, the file will contain the following columns:

1. Project

2. Repository

3. Branch

4. Commit

5. File

6. Line number

7. URL: A link to the code location of the finding in Bitbucket.

8. Rule

9. Allowlisted

10. Reviewed

11. Line offset start: The offset of where the finding begins in the line. Will never be empty. This allows you to derive the specific text of the finding if you have read access to the repository.

12. Line offset end: The offset of where the finding ends in the line. Will never be empty. This allows you to derive the specific text of the finding if you have read access to the repository.

You can export scan results using one of a few ways, each of which is described below.

Exporting a single branch via the Branch Scan Report

To export the findings from a single branch, first navigate to the Branch Scan Report for the branch in question. Then click the Export button in the top right corner of the report:

Exporting from a Dashboard

From the Global, Project-level, and Repository-level Dashboards, there are two primary approaches to exporting scan findings.

Using the Dashboard’s Export Dropdown

An Export dropdown is visible in the upper-right of each dashboard. Depending on which dashboard and view level, the relevant option will appear as one of the following:

• Repository Scan Results

• Project Scan Results

• All Scan Results (only available from the Global Dashboard)

One example is shown below:

When exporting a repository, the generated report will contain the results found in all branches of that repository.

When exporting a project, the generated report will contain the results found in all branches of all repositories of that project.

When exporting all projects, the generated report will contain all results found in all projects in the Bitbucket instance. The resulting zip file will contain one csv file per project.

Export All Scan Results can put a strain on Bitbucket resources if there are a lot of results. Consequently, a dialog box will pop up to confirm that you wish to perform this action.

Using the Actions menu

From any dashboard, navigate to the desired level view, click the Actions dropdown menu, and select the Export item as shown below:

Exporting findings via a REST call

You may also use various REST calls to export findings of any given branch, repository, project, or the whole Bitbucket instance.

Redacting findings in exported reports

If you want to keep the full text of findings from appearing in exported reports, you can disable the Include full finding text in exported reports setting in the plugin settings page:

Disabling this option will remove the Text column from CSV exports, and will add a URL column that contains the URL location of the finding.