BitBucket
SailPoint Entro scans BitBucket repositories to protect your organization from secret targeted attacks and find secrets that are leaked across your commits.
Navigation Path
Management → Accounts & Integrations → Add New Account (top right) → Bitbucket
Overview
The Bitbucket Integration enables SailPoint Entro to continuously scan repositories across Bitbucket Cloud and Bitbucket Data Center (on-prem) for exposed secrets, credentials, and tokens.
SailPoint Entro connects securely using read-only authentication methods - either a Bitbucket API Token / App Password or a Workload Identity Federation (WIF) token - ensuring zero write or modification actions on your repositories.
All communication is performed over HTTPS/TLS 1.2+, and SailPoint Entro never stores raw source code, only contextual metadata required for security analysis.
Architecture
Entro Security Cloud
↕ (HTTPS/TLS)
Bitbucket Cloud or Data Center
├── Repositories
├── Commits
└── Branches
SailPoint Entro’s integration interacts directly with the Bitbucket API to enumerate repositories, commits, and branches, then performs in-memory secret scanning through its secure cloud engine or local connector.
What SailPoint Entro Scans
SailPoint Entro automatically analyzes repositories and commits for secrets such as:
-
API keys and tokens (AWS, GCP, Azure, etc.)
-
OAuth and service credentials
-
SSH and private keys
-
Database connection strings
-
Cloud or CI/CD credentials (Pipelines, build configs, YAMLs)
What SailPoint Entro Does Not Scan
To maintain performance and reduce noise, the following are excluded:
| Excluded Data | Reason |
|---|---|
Binary or media files (.jpg, .zip, .mp4) |
Prevent false positives |
| Archived or inactive forks | Reduce redundant scanning |
| Deleted branches / closed pull requests | Irrelevant historical data |
| Files exceeding 5 MB | API performance optimization |
| Private pipelines or build artifacts | Out of repository scope |
These exclusions ensure efficient, lightweight, and secure scans across large environments.
Supported Bitbucket Flavors
| Type | Authentication | Description |
|---|---|---|
| Bitbucket Cloud | API Token (recommended) or legacy App Password | Connects directly to Atlassian’s SaaS Bitbucket service |
| Bitbucket Data Center | Workload Identity Federation (HTTP Auth Token) | Connects to self-hosted Bitbucket Data Center via secure federated authentication |
Note
Both integration types deliver identical SailPoint Entro scanning, detection, and reporting capabilities.
Integration Paths
Option 1 - Bitbucket Cloud
Connects via your Bitbucket username and either an App Password or a modern API Token. Ideal for cloud-hosted Bitbucket workspaces.
→ Go to Bitbucket Cloud Onboarding
Option 2 - Bitbucket Data Center (Workload Identity Federation)
Connects securely to your on-prem or private Bitbucket instance using a scoped HTTP Auth Token. Ideal for self-hosted or enterprise deployments with restricted access.
→ Go to Bitbucket Data Center Onboarding
Post-Onboarding Behavior
Once the integration is connected:
-
SailPoint Entro performs an initial repository discovery
-
All active repositories are continuously scanned for new secrets
-
Discovered findings are displayed in the SailPoint Entro Findings Dashboard, including:
-
Repository and branch
-
File path and commit hash
-
Secret type (e.g., API key, token, private key)
-
Exposure level (generic or confirmed)
-
You can:
-
Assign findings for remediation
-
Sync to Jira or other ticketing systems
-
Mark findings as Resolved or False Positive
Security & Compliance
-
All operations are read-only.
-
Source code is never stored — only hashed metadata and secret context.
-
Credentials (App Passwords, API Tokens, or WIF tokens) are encrypted using AES-256.
-
All communications occur via TLS 1.2+.
-
SailPoint Entro complies with:
-
SOC 2 Type II
-
ISO 27001
-
GDPR
-
SailPoint Entro’s Bitbucket integration follows Atlassian’s official authentication and security best practices.
Note
For production use, store your Bitbucket credentials in a secure vault and rotate them periodically.