Bitbucket
Bitbucket is a Git-based code hosting and collaboration tool. SailPoint Entro detects secrets and NHIs exposed on Bitbucket, like the example shown below:

Step 1: Locate the Exposed Token with SailPoint Entro Platform
Use the link provided by SailPoint Entro to navigate directly to the Bitbucket repository where the token was exposed. Identify the specific commit, branch, or file in the Bitbucket repository that contains the exposed token. Review the commit history, code, and configuration files to locate the sensitive data.
Step 2: Revoke Rotate and remove the Exposed Token
To remediate the issue, use the RIGOR workflow:
-
Redact Sensitive Information: Remove the exposed token from the affected code, files, or configurations in the Bitbucket repository.
-
Inform the owner about the token exposure so that the practice is not repeated.
-
Generate a new token if necessary and ensure it is securely vaulted, avoiding exposure in scripts, pipeline configurations, or environment settings.
-
Organize and take notes throughout this process as they will be necessary for a future root cause analysis, response plans, etc...
-
Revoke any exposed tokens through the issuing service based on the token type provided by SailPoint Entro. Refer to Key Rotation Best Practices.
Step 3 (optional): Use Bitbucket Pipelines Environment Variables or External Secret Management
-
Use Bitbucket Pipelines environment variables to securely manage sensitive information without hard-coding it in the repository.
-
Alternatively, integrate with external secret management services such as AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault to securely store and access tokens and other sensitive data.
Step 4: Audit Access
Review Bitbucket’s audit logs and repository security settings to ensure that no unauthorized access occurred while the token was exposed.
Step 5: Monitor
Set up monitoring and alerts within Bitbucket or using external monitoring tools to notify you of any unusual activities related to repository access or sensitive data exposure.