Skip to content

Bitbucket App Password

Service Name: Bitbucket

Service Description: Bitbucket is a Git-based source code repository hosting service owned by Atlassian. It offers both cloud-based and server versions for teams to collaborate on code development, manage Git repositories, and build, test, and deploy code.

Service Address: https://bitbucket.org/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the workspace level through IP allowlists in Bitbucket Cloud settings.

Secret Access Scope: App passwords grant specific permissions to access Bitbucket resources and APIs without sharing your primary password. They can be configured with limited scopes such as repository read/write access, pull request management, pipeline execution, or issue tracking.

Secret Revokement URL: https://bitbucket.org/account/settings/app-passwords/

Secret Example: ATBBcGVuqm6Xp8MYKVm3RRVnUMFT5D3C8A2E

Suspicious Activity Investigation Instructions:

  • Review the Bitbucket audit logs for unusual repository access or actions
  • Check for unauthorized repository clones, commits, or pull requests
  • Monitor for unexpected changes to repository settings or permissions
  • Examine webhook configurations for unauthorized additions
  • Review pipeline executions for suspicious activities
  • Check for unusual API calls made using the app password

Mitigation Instructions:

  • Log in to your Bitbucket account
  • Navigate to your personal settings by clicking on your profile picture and

selecting "Personal settings"

  • Select "App passwords" from the left sidebar
  • Locate the compromised app password in the list
  • Click the trash icon next to the password to delete it
  • Confirm the deletion when prompted
  • Create a new app password with appropriate permissions if still needed
  • Review all repository access and permissions
  • Enable two-factor authentication for your Bitbucket account if not already

enabled

  • Consider implementing IP allowlists for your Bitbucket workspace