: Begin Scanning a Bitbucket App
Focus
Focus

Begin Scanning a Bitbucket App

Table of Contents

Begin Scanning a Bitbucket App

Authorize Data Security to connect to Bitbucket to scan all content shared within the app.
To connect a Bitbucket app and begin scanning assets, you need to:
  • Ensure that you have a Bitbucket Site administrator account.
  • Grant Data Security access to Bitbucket.
  • Add the Bitbucket app to Data Security, providing Data Security information about your Bitbucket workspace and account.
If you onboarded your Bitbucket app before May 20, 2022, there is a newly published app available on the Bitbucket Marketplace. To replace your existing app, you must delete it from the dashboard, uninstall (Workspace > Settings > Installed apps > Remove), and reonboard the app. If you don’t, some new features won't be available, including remediation and user activity monitoring capabilities. Your existing app does not support remediation, so you likely did not create any policy rules that are purged when you delete the app. After you reonboard, you can create policy rules for improved data loss prevention.
Support for automated remediation capabilities varies by SaaS application.

Bitbucket Onboarding Time

Data Security scans for two Bitbucket asset types:
  • Commits—Repository commits across all branches.
  • Repository—Repository assets are scanned when the first commit occurs or when exposure settings are changed. The Owner name mentioned in the Assets page is the last person who edited the repository settings.
When you perform Change Sharing, the repository asset is updated with Exposure as “Internal”, and the Workspace name is displayed as the Owner.
The specific assets that Data Security scans and displays in the SaaS Security web interface are based on your onboarding time, which begins when you initiate scanning:
  • Post-onboarding—Commits and Repository updates after onboarding are scanned.
  • Pre-onboarding—Commits and Repository updates before onboarding are not scanned. Only newly added content to pre-onboarding commits is scanned.

Add Bitbucket App

In order for Data Security to scan assets, you must consent to specific permissions when adding the Bitbucket app.
  1. (Recommended) Add your Bitbucket domain as an internal domain.
  2. To add the Bitbucket app, go to Data SecurityApplicationsAdd ApplicationBitbucket.
    1. Select Connect to Bitbucket Account.
    2. Sign in with an account that has Site administrator permissions.
    3. In Authorize for workspace, select your team’s Bitbucket workspace, then Grant access.
    4. Review and Allow the requested permissions.
      Data Security requires these permissions to scan your assets on Bitbucket.
      After authentication, Data Security adds the new Bitbucket app to the list of Cloud Apps as Bitbucket n, where n is the number of Bitbucket app instances that you have connected to Data Security. You’ll specify a descriptive name soon.

Customize Bitbucket App

After you add the Bitbucket app, customize the app to make use of capabilities that are unique to this app or that differentiate this app instance from others.
  1. (Optional) Give a descriptive name to this app instance.
    1. Select the Bitbucket n link on the Cloud Apps list.
    2. Enter a descriptive Name to differentiate this instance of Bitbucket from other instances.
    3. Click Done to save your changes.
  2. Next step: Proceed to Identify Risks.

Identify Risks

When you add a new cloud app, then enable scanning, Data Security automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.
  1. Start scanning the new Bitbucket app for incidents.
    1. Select SettingsCloud Apps & Scan Settings.
    2. In the Cloud Apps row that corresponds to the new Bitbucket app, select ActionsStart Scanning.
  2. Monitor the scan results.
    During the discovery phase, as Data Security scans files and matches them against enabled policy rules:
    • Verify that Data Security displays assets.
    • Verify that your default policy rules are effective. If the results don’t capture all the risks or you see false positives, proceed to the next step to improve your results.
  3. (Optional) Modify match criteria for existing policy rules.
  4. (Optional) Add new policy rules.
    Consider the business use of your cloud app, then identify risks unique to your enterprise. As necessary, add new:
  5. (Optional) Configure or edit a data pattern.
    You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.
  6. Next step: Proceed to Fix Bitbucket App Onboarding and Scan Issues, if necessary.

Fix Bitbucket App Onboarding and Scan Issues

The most common issues related to onboarding a Bitbucket app are as follows:
Symptom
Explanation
Solution
Not all commits display in the SaaS Security web interface.
The assets that display are based on your Bitbucket Onboarding Time.
This is expected behavior. However, periodically monitor the support because new support is added regularly.
Primary Email of user does not display in the SaaS Security web interface.
Due to Atlassian GDPR policy, Bitbucket does not enforce email id with a commit owner. Therefore, the SaaS Security web interface displays the atlassian_account_id by default instead of the user's email address.
As a consequence, users don’t receive Slack notifications.
To receive user notifications, the administrator of the repository must enforce the email address being configured by each commit owner and verify the legitimacy of the configured email address. In short, ensure that each commit owner’s profile is set to the user’s email address.
Not receiving user Slack notifications.

FAQs for Bitbucket App

The most common questions related to onboarding a Bitbucket app are as follows:
Question
Answer
What if there are multiple files in a commit?
Each commit is treated as a separate asset.
Are merge commits scanned?
To avoid duplicates, merge commits are not scanned.
What if a commit is associated with multiple branches?
Data Security does not scan the same commit twice. If a commit is part of multiple branches, only the first commit is scanned.
How are assets named for commits?
The asset name is a combination of the short Commit ID and filename.
What does the Repository on the Asset Details (Basic Info) page hyperlink to?
Directs you to the parent repository asset, not the repository on Bitbucket.