Exporting a report for external use

For offline viewing and processing of security findings generated by Security for Bitbucket, you can export them to a csv file. This file will contain the following columns, most of which are self-explanatory:

1. Project

2. Repository

3. Branch

4. Commit

5. File

6. Line number

7. Match text: The exact match text of the finding. This can be used to review the finding; see Hiding false positives, revoked credentials, etc..

8. Rule

9. Allowlisted

10. Reviewed: see Hiding false positives, revoked credentials, etc.

11. Globally reviewed: see Hiding false positives, revoked credentials, etc.

12. Full text: The complete text of the line, or, if it is too long, then only the specific text that triggered the finding.

If the “Include full finding text in exported reports” setting is disabled, the file will contain the following columns:

1. Project

2. Repository

3. Branch

4. Commit

5. File

6. Line number

7. URL: A link to the code location of the finding in Bitbucket.

8. Rule

9. Allowlisted

10. Reviewed: see Hiding false positives, revoked credentials, etc.

11. Globally reviewed: see Hiding false positives, revoked credentials, etc.

12. Line offset start: The offset of where the finding begins in the line. Will never be empty. This allows you to derive the specific text of the finding if you have read access to the repository.

13. Line offset end: The offset of where the finding ends in the line. Will never be empty. This allows you to derive the specific text of the finding if you have read access to the repository.

You can export scan results using one of a few ways, each of which is described below.

Exporting a single branch via the Branch Security Analysis

To export the findings from a single branch, first navigate to the Security Analysis for the branch in question. Then click the Export button in the top right corner of the report:

Exporting from a Dashboard

From the Global, Project-level, and Repository-level Dashboards, there are two primary approaches to exporting scan findings.

Using the Dashboard’s Export Dropdown

An Export dropdown is visible in the upper-right of each dashboard. Depending on which dashboard and view level, the relevant option will appear as one of the following:

• Repository Scan Results

• Project Scan Results

• All Scan Results (only available from the Global Dashboard)

One example is shown below:

When exporting a repository, the generated report will contain the results found in all branches of that repository.

When exporting a project, the generated report will contain the results found in all branches of all repositories of that project.

When exporting all projects, the generated report will contain all results found in all projects in the Bitbucket instance. The resulting zip file will contain one csv file per project.

Export All Scan Results can put a strain on Bitbucket resources if there are a lot of results. Consequently, a dialog box will pop up to confirm that you wish to perform this action.

Using the Actions menu

From any dashboard, navigate to the desired level view, click the Actions dropdown menu, and select the Export item as shown below:

Branches which point to the same commit: Note that when more than one branch points to the same git commit, only scan findings for the first branch, alphabetically, will be exported.

Exporting findings via a REST call

You may also use various REST calls to export findings of any given branch, repository, project, or the whole Bitbucket instance.

Redacting findings in exported reports

If you want to keep the full text of findings from appearing in exported reports, you can disable the Include full finding text in exported reports setting in the plugin settings page:

Disabling this option will remove the Text column from CSV exports, and will add a URL column that contains the URL location of the finding.