If a user can see a given repository in one of the three dashboards (Global, Project-level, or Repository-level), that user can scan any branch in that repository for vulnerabilities and view the details of those vulnerabilities via the Branch Security Analysis.
For example, an admin for Project 1 uses the Project-level Dashboard to see the status of each branch in the rep_1 repository:
By clicking on the number of findings found in the master branch as shown here:
this user can access the Security Analysis:
Here, we see three vulnerabilities, where the specific text that matched the rule’s regex is highlighted in (specifically, this is the group 0 match).
This user can use the branch selector dropdown in the upper-left to instead see the status of the new-feature branch:
Since this branch hasn’t been scanned yet, there is no information to display. Pressing the Trigger Scan button as shown here:
will start the scan, or if Bitbucket already has multiple scans ongoing, this will schedule the scan. Results will start to populate as the app finds vulnerabilities in files within the branch:
The final results might look like the following:
Results of a scan can also be filtered by which rule generated the scan. Using the Filter By Rule dropdown in the upper-left, the admin can concentrate on one or more kinds of vulnerability:
