Security for Bitbucket contains a pre-receive hook, which can run a scan on any code before it is pushed into Bitbucket. The Security Hook has two modes:

  • Default: Reject the push if any vulnerabilities are found

  • Warn-only: Print a message to the pusher notifying them of the scan failures, but allow the push to succeed.

The security hook can be enabled on the repository level, on the project level, or globally. The following table outlines whether or not the hook runs in each of these cases:

Repository Hook Toggle

Project Hook Toggle

Global Hook Toggle

Resulting Behavior

ENABLED

ENABLED

ENABLED

Hook ON (based on repo config)

ENABLED

ENABLED

DISABLED

Hook ON (based on repo config)

ENABLED

DISABLED

ENABLED

Hook ON (based on repo config)

ENABLED

DISABLED

DISABLED

Hook ON (based on repo config)

INHERITED

ENABLED

ENABLED

Hook ON (inherited from project)

INHERITED

ENABLED

DISABLED

Hook ON (inherited from project)

INHERITED

DISABLED

ENABLED

Hook ON (inherited from global)

INHERITED

DISABLED

DISABLED

Hook OFF

DISABLED

ENABLED

ENABLED

Hook OFF (based on repo config)

DISABLED

ENABLED

DISABLED

Hook OFF (based on repo config)

DISABLED

DISABLED

ENABLED

Hook OFF (based on repo config)

DISABLED

DISABLED

DISABLED

Hook OFF (based on repo config)

Enabling the hook on the repository level

To enable the hook on a repository level, go to the desired repository, Settings → Hooks, and then enable the Reject Vulnerable Commits hook. A pop-up will prompt you with the option whether to configure the hook in reject or warn-only mode.

Enabling the hook on the project level

To enable the hook on a project level (which is great for blocking vulnerabilities for new repositories), go to the desired project, Settings → Hooks, and then enable the Reject Vulnerable Commits hook. A pop-up will prompt you with the option whether to configure the hook in reject or warn-only mode.

Enabling the hook globally

To enable the hook on a global scale, have your Bitbucket administrator go to Administration → Security for Bitbucket Settings and then modify the Global hook drop-down option:

Example of a blocked push