Bitbucket hosts thousands of repositories with numerous branches, each with the potential to contain vulnerabilities. Security Scan Report provides a central security dashboard for Bitbucket server and data center administrators. Security scans are performed on a per-branch basis from the scan page.

The Security Scan Report allows administrators to view scan report results of all Bitbucket projects, repositories and branches, starting from a high-level project overview which can be broken down into a per repository and then per branch basis. This page is available for global admins only and can be accessed from Bitbucket’s Administration page:

Statuses

You can get status from the project level, down through the repository and branch level.

Project level

By default, list of regular projects is displayed, but you can show them all or filter personal projects only using Project type filter.

The project status bar breaks down the status of each repository in Bitbucket, which is tied to the status of each branch. Hovering over this bar will show you the exact breakdown, with each color representing the following:

  • Secure: repository is considered secure (i.e. all branches have been scanned for vulnerabilities and none were found).

  • Vulnerable: Vulnerabilities found in at least one branch of the repository.

  • Not Scanned: Repository has not been scanned.

  • Partially Scanned: Some branches were scanned and secure, but every branch has yet to be scanned.

  • Outdated: All repository branches were scanned, but new commits have been made so the results are considered outdated.

Hovering over the status bar will show you the exact breakdown for each status:

Further, you can click any project name to drill down into into details at the repository level.

Repository level

The repository status bar breaks down the overall status of the repository for the selected project. The overall status is tied to the individual status of each branch. Hovering over this bar will show you the exact breakdown, with each color representing the following:

  • Secure: Branch is considered secure (i.e. all latest changes have been scanned for vulnerabilities and none were found).

  • Vulnerable: Vulnerabilities found in the branch.

  • Not Scanned: Branch has not been scanned.

  • Outdated: The branch was scanned before, but new commits were made after the last scan was performed, so its security status is outdated (enabling the hook can fix this).

Branch level

If branch has been scanned before, you can expand it to see the following scan details:

  • Last commit: When the last commit was made to the branch.

  • Last scan started: When the branch was last scanned.

  • Last scan duration: How long it took for the last scan to take place.

The Scan Status column has the following potential values:

  • Not Scanned: The branch hasn’t ever been scanned, security status is unknown.

  • Queued: The scan is scheduled, but has not started yet.

  • Scanning: The scan is in progress.

  • Up To Date: The latest version of code has been successfully scanned.

  • Scanned X Commits Ago: Scanned, but new changes were made after, so scan results are outdated.

  • Cancelled: Scan was started and then cancelled by user.

  • Internal Error: Some error was occurred during last scan, see Bitbucket log for details.

Bulk scan

From Security Report page you can trigger scan of any branch, repository or project from Actions menu on the right of table rows, which includes 2 possible options:

  • Scan outdated: schedule scanning of selected row for all not-scanned and outdated branches

  • Rescan all: force rescan of all existing branches

If you click it on repository level, all existing branches of selected repository will be scheduled for rescan. In case of project, all branches of all repositories of that project will be scanned. You can monitor progress of batch scan using Scan Queue dropdown. You can also trigger full Bitbucket rescan with a REST-call.

Scan Queue

On the top-right you can find a drop down menu with the list of active scans. It gives an overview of running and scheduled scans for all projects / repositories / branches.

You can open detailed scan page by scan link, which is displayed in the following format:
ProjectName / RepositoryName : BranchName

Item tooltip shows how long ago scan was added / started. You can cancel any scheduled or running scan from this list one by one, or reset them all with one button click.

Performance Information

  • By default Security for Bitbucket runs 2 bulk scans simultaneously, all consequent scans will be added to a wait-queue. If you need you can customize maximum number of parallel scans using a REST-call.

  • When using Bitbucket Data Center, the repository scan is performed on a node, where you are served from, but the results on a Security Scan Report page are global / same for the whole cluster.

  • Some scan stats, like number of outdated repositories, are updated with each commit, so if you disable the plugin these stats may become outdated.

  • You can enable debug logging for a plugin to see the details of performed scans in Bitbucket's logs.

Summary

Security for Bitbucket is already a widely used plugin in the Atlassian ecosystem, with an established track record for finding and flagging vulnerabilities buried deep in source code that can easily be missed.

The Security Scan Reports make it easy to spot security issues by showing color-coded visualization of the status of every level in source control hierarchy.