Skip to content

BitBucket

SailPoint Entro scans BitBucket repositories to protect your organization from secret targeted attacks and find secrets that are leaked across your commits.

Management → Accounts & Integrations → Add New Account (top right) → Bitbucket


Overview

The Bitbucket Integration enables SailPoint Entro to continuously scan repositories across Bitbucket Cloud and Bitbucket Data Center (on-prem) for exposed secrets, credentials, and tokens.

SailPoint Entro connects securely using read-only authentication methods - either a Bitbucket API Token / App Password or a Workload Identity Federation (WIF) token - ensuring zero write or modification actions on your repositories.

All communication is performed over HTTPS/TLS 1.2+, and SailPoint Entro never stores raw source code, only contextual metadata required for security analysis.


Architecture

Entro Security Cloud
        ↕  (HTTPS/TLS)
Bitbucket Cloud or Data Center
   ├── Repositories
   ├── Commits
   └── Branches

SailPoint Entro’s integration interacts directly with the Bitbucket API to enumerate repositories, commits, and branches, then performs in-memory secret scanning through its secure cloud engine or local connector.


What SailPoint Entro Scans

SailPoint Entro automatically analyzes repositories and commits for secrets such as:

  • API keys and tokens (AWS, GCP, Azure, etc.)

  • OAuth and service credentials

  • SSH and private keys

  • Database connection strings

  • Cloud or CI/CD credentials (Pipelines, build configs, YAMLs)


What SailPoint Entro Does Not Scan

To maintain performance and reduce noise, the following are excluded:

Excluded Data Reason
Binary or media files (.jpg, .zip, .mp4) Prevent false positives
Archived or inactive forks Reduce redundant scanning
Deleted branches / closed pull requests Irrelevant historical data
Files exceeding 5 MB API performance optimization
Private pipelines or build artifacts Out of repository scope

These exclusions ensure efficient, lightweight, and secure scans across large environments.


Supported Bitbucket Flavors

Type Authentication Description
Bitbucket Cloud API Token (recommended) or legacy App Password Connects directly to Atlassian’s SaaS Bitbucket service
Bitbucket Data Center Workload Identity Federation (HTTP Auth Token) Connects to self-hosted Bitbucket Data Center via secure federated authentication

Note

Both integration types deliver identical SailPoint Entro scanning, detection, and reporting capabilities.


Integration Paths

Option 1 - Bitbucket Cloud

Connects via your Bitbucket username and either an App Password or a modern API Token. Ideal for cloud-hosted Bitbucket workspaces.

→ Go to Bitbucket Cloud Onboarding


Option 2 - Bitbucket Data Center (Workload Identity Federation)

Connects securely to your on-prem or private Bitbucket instance using a scoped HTTP Auth Token. Ideal for self-hosted or enterprise deployments with restricted access.

→ Go to Bitbucket Data Center Onboarding


Post-Onboarding Behavior

Once the integration is connected:

  • SailPoint Entro performs an initial repository discovery

  • All active repositories are continuously scanned for new secrets

  • Discovered findings are displayed in the SailPoint Entro Findings Dashboard, including:

    • Repository and branch

    • File path and commit hash

    • Secret type (e.g., API key, token, private key)

    • Exposure level (generic or confirmed)

You can:

  • Assign findings for remediation

  • Sync to Jira or other ticketing systems

  • Mark findings as Resolved or False Positive


Security & Compliance

  • All operations are read-only.

  • Source code is never stored — only hashed metadata and secret context.

  • Credentials (App Passwords, API Tokens, or WIF tokens) are encrypted using AES-256.

  • All communications occur via TLS 1.2+.

  • SailPoint Entro complies with:

    • SOC 2 Type II

    • ISO 27001

    • GDPR

SailPoint Entro’s Bitbucket integration follows Atlassian’s official authentication and security best practices.

Note

For production use, store your Bitbucket credentials in a secure vault and rotate them periodically.