Skip to content

BitBucket Server Plugin App

Enforce pre-receive and PR secret scanning by installing the SailPoint Entro Bitbucket Plugin app

582KB
entro-bitbucket-plugin.zip
Installation JAR v1.0.7 · archive

SailPoint Entro provides a BitBucket compatible app, follow these steps to install and enable it.

  1. Go to Administration > Manage Apps

  2. Select "Upload app" and upload the SailPoint Entro provided JAR app file.

    Once uploaded, ensure the plugin is enabled as can be seen above.

    Note

    An Entro scanning API key is required.

  3. Once enabled, you will be able to see "Entro" under the System settings.

    From the global administration settings you will be able to enforce scanning across all or some of your BitBucket projects. Clicking on "Save" at the bottom of the settings page will enforce these settings.

    As an example, once "All projects" is selected, the "Entro Push Scan" hook will be applied to all projects, as can be seen below.

    Which will yield the following output when an employee tries to push a commit with secrets to a repo.

API Key

An Entro scanning API key is required for the scanner to call SailPoint Entro’s API.

Global Settings

Once the app is enabled, open Entro under System settings (global administration). From there you can:

  • Enforce scanning across all projects or only selected projects (and related options on that page).

  • Click Save at the bottom to apply settings. Saving applies hooks according to your choices (for example, the Entro Push Scan hook on the repos/projects you configured).

Example: All Projects

If you choose All projects, the push scan hook is registered broadly across your instance (as shown in the hook list for each relevant repository).

What Developers See

As seen above, when someone pushes commits that contain detected secrets, the push can be rejected with a message that lists the findings (behavior depends on your SailPoint Entro and Bitbucket configuration).

Optional: Explicitly Bypassing a Scan

Line Ignore Comments

Before content is sent to SailPoint Entro, any line that contains one of these ignore markers (with optional spaces around entro-secret-ignore) is stripped for that scan:

  • # entro-secret-ignore (also the form #entro-secret-ignore)

  • // entro-secret-ignore

  • /* entro-secret-ignore */ on a single line

  • <!-- entro-secret-ignore -->. You can also use <!-- entro-secret-ignore -->. Use these when a secret-like string is safe, and you want that line excluded from the payload sent to the API.

Path Allow-List File (Repository Root)

To skip whole files or paths (for example generated assets or paths where inline comments are not possible), add a file named **entro-security.yml** at the root of the repository on the default branch (main / master, etc.). Each entry is a regular expression matched against the file path (backslashes are normalized to forward slashes). If any pattern matches, that file is not sent to the SailPoint Entro scan API.

Example:

allowlist_paths:
  - '^generated/.*'
  - '.*\.golden\.json$'

Note

Commit and merge this file to the default branch before relying on it for paths you want excluded.