Why isn't Security for Bitbucket finding my passwords?
Generic password detection is turned off: If you're trying to have Security for Bitbucket detect a password like
password="my password"
, it won't because generic password detection is turned off by default. Please refer to Enabling and Disabling Global Detection Rules page in the Security for Bitbucket documentation to learn how to enable generic password detection.Scanning is turned off: Security for Bitbucket may not be scanning your code if the specific rule is turned off. The rule has to be enabled on a global, project, or repository level. Please refer to Scanning Every Push with the Soteri - Scan Commits Security Hook section in the Security for Bitbucket documentation to learn how to enable scanning.
Using a fake key to test the application: Security for Bitbucket uses entropy filters to determine whether a key is fake. If you are using a fake key instead of a real one, it will not be detected. Please ensure that you are using actual keys in your code for them to be detected.
Key is in a screenshot: If your key is in a screenshot, it won't be detected as Security for Bitbucket doesn't support OCR scanning yet.
Lack of generic rules for certain patterns: Some users have been expecting generic rules for certain patterns that Security for Bitbucket does not have generic rules for. You can see a list of rules that Security for Bitbucket uses for scanning in the Built-In Scanning Rules page in the Security for Bitbucket documentation. You can learn how to define your own custom rules here.