Cheat sheet: 10 Bitbucket security best practices | Snyk (2024)

In this cheat sheet we’ll cover how you can be more secure as a Bitbucket user or contributor. Some of it is specific to Bitbucket, but a lot of it is also useful for other Git and non-Git repositories as well.

Download cheat sheet

So let’s get started with our list of 10 Bitbucket security best practices, starting with the classic mistake of people adding their passwords into their Bitbucket repositories!

1. Never store credentials as code/config in Bitbucket

There are a bunch of great tools available, like git-secrets, that can statically analyze your commits, via a pre-commit Git Hook to ensure you're not trying to push any passwords or sensitive information into your Bitbucket repository. Commits are rejected if the tool matches any of the configured regular expression patterns that indicate that sensitive information has been stored improperly. This may slow down pushes a tiny bit, but it’s well worth it.

Having team-wide rules that prevent credentials from being stored as code is a great way to police bad actions in the existing developer workflow. Use a tool like Vault to help manage your secrets when in production. Lastly, consider using an identity and user management tool chain, like Keycloak (currently maintained by a number of developers in Red Hat) as well as others.

Atlassian supports injecting credentials into Bitbucket plans through environment variables, however a more secure approach may be using Adaptavist’s ScriptRunner as middleware to connect credential and authentication management systems like Vault and Keycloak.

There are many ways to avoid putting credentials into your repository in the first place, and you should try to implement as many as you can; however there’s always the chance some sensitive information may sneak in. You should also consider regularly auditing your repos, making use of tools like GitRob or truffleHog, both of which scan through your codebase, searching for sensitive information via pattern matching.

2. Remove sensitive data in your files and Bitbucket history

If you find sensitive data in your Bitbucket repository, you need to do a number of things to recover. First of all you'll need to invalidate the tokens and passwords that were once public. Once a secret is public on the internet, you should assume it's in the hands of attackers and react accordingly.

Of course, you’ll also need to remove the same sensitive data from your repository, but don’t forget that Bitbucket is very good at keeping a full history of all your commits. This includes changelogs that list your sensitive information. It’s important you clear your Bitbucket history when you remove sensitive data from a repo. For more info, see purging files from your repository's history. Note, while this is a GitHub link, it’s good generic advice for all Git repositories, so you can use it in Bitbucket also. You can also use ScriptRunner to make these integrations simple.

3. Tightly control access

Here in the UK, when it gets really, really hot (read: mildly warm) us Brits tend to open all the windows in the house to make sure that it doesn’t turn into a sauna. However when we leave our houses, we double lock the front door, often leaving many of the windows partially open to keep the airflow moving. Of course this makes no sense, as anyone wanting to break in won’t try to break in through the front door! They’ll look for a less obvious way in, perhaps by climbing through one of the conveniently opened windows. We often take a similar approach to securing our applications. We focus very hard on the more complex attack vectors, but fail miserably against some of the simplest. For instance, it only takes one developer to leave their password on a sticky note, hanging off their monitor for an attacker to gain access. We must ensure our basic settings and practices are adhered to, both on the Bitbucket platform as well as in general. Mandate the following basic practices for your contributors:

  1. Require 2-factor-authentication on every contributor’s Bitbucket account.

  2. Never let Bitbucket users share accounts/passwords.

  3. Any laptops/devices with access to your source code must be properly secured.

  4. Repository administrators should manage team access to data. Only give contributors access to the data they need to do their work.

  5. Bitbucket accounts may be personal accounts, and do not naturally disappear when users leave the company. Make sure you diligently revoke access from Bitbucket users who are no longer working with you.

Bitbucket’s Branch Permissions model enable you to control who can push commits to which branches.

You can schedule a ScriptRunner job to deactivate particular Bitbucket users at a specified date and time, preventing further access to Bitbucket Server. In the example below we deactivate User and Contractor on 17th August 2018 at 9am. In the Notes section a JIRA issue key ACCESS-1234 has been referenced to see who reported the change.

Cheat sheet: 10 Bitbucket security best practices | Snyk (1)

4. Add a SECURITY.md file

It’s natural for most project owners and maintainers to add a README.md for their repository. In fact, these days it’s expected and it’s quite frowned upon if one is missing. Likewise, it’s becoming increasingly common to add a SECURITY.md file that highlights security-related information for your project. Not only does it give users of your open source project the important security information they need, but it also forces the maintainers to think about how they should deal with security disclosures, updates and general security practices.

Here’s a high level overview of some of the suggested topics that you should cover in the SECURITY.md file:

Disclosure policy

The 2017 Snyk State of Open Source Security report shows only 21% of maintainers who do not have a public disclosure policy have been notified privately about a vulnerability. This jumps up to 73% of maintainers who do have a public disclosure policy. This illustrates the importance of defining the procedure of how an issue reporter can fully disclose security issues responsibly. This should include who to contact and how. This is extremely important as it allows you to gain important feedback from the users of your project. If there's no easy well-defined way of doing something, it's easy for us to not bother doing it at all. Others may log the existence of a vulnerability as an open issue, inadvertently making the world aware of it before a fix is available. Make sure you give your project users all the direction they need to give the right information to project maintainers when issues are found.

Security update policy

Software vulnerabilities are discovered every single day. When a vulnerability is found in your application or library, you have a responsibility to tell the users of your project. They could be using your open source code in production on critical systems. You need to have a well-defined process to share the relevant information to them, including the severity of the vulnerability, the risk it brings, and how to move to a fixed version of your code. Define this process upfront so that the information is pushed to your project users, allowing them to be updated as early as possible about new security vulnerabilities as they are found and fixed. This might be as simple as a security mailing list. A SECURITY.md file is a good home for such info on the repo, and if you have a website, consider an independent page for it — see Express.js’s security page as an example.

Security related configuration

The security considerations of your project go beyond your code alone. Users of your open source project likely need to add configuration to your project and create settings in order for it to work as necessary in their environment. You should provide your project users with suggested settings that harden their security posture when deploying this project. Examples include turning on HTTPS, adding an authorization layer and of course replacing default passwords (guidance many MongoDB users wish they’ve gotten). Remember that many users typically have a fairly low understanding of security, so any advice you can pass on will help them greatly.

Known security gaps & future enhancements

There’s a tradeoff between giving your users the information they need to secure their environment versus enabling an attacker with suggested attack routes. Always consider how the information you share could be used by both parties. Very rarely are projects in such a state that all the security improvements you want to make have been implemented. It's important to inform your project users of the security controls that aren’t currently in place. Your users deserve to know the full story so they can make informed decisions about how they use your project. Who knows — you may even get contributions of a security control implementation from your users on the list!

5. Get security tips as part of your workflow with Code Insights

Code Insights is designed to surface information relevant to a pull request, so the author and reviewers are able to make better-informed decisions. Snyk provides an integration that runs a scan against all opened pull requests to ensure they aren’t introducing new open source vulnerabilities, and can block pull requests from being merged when they do contain new vulnerabilities.

If a new vulnerability is found, Snyk alerts you about the newly found vulnerability and opens a Fix pull request, including suggested upgrades or Snyk patches to fix the vulnerability.

In Bitbucket’s pull request interface, the changes are scanned and results are shown as detailed in-line annotations next to the changes that introduce new issues. These annotations make it easier to understand the results of Snyk’s scan and support informed decisions.

For more information about installation and usage, check this Snyk Bitbucket Code Insights blog post containing a video of it all happening!

6. Validate your Bitbucket applications carefully

All good platforms can be extended, and Bitbucket with its application marketplace is no exception. Applications are written by organizations and third party developers, so keep this in mind when adding them to your repository. Consider the following when selecting and installing Bitbucket applications:

  • Don’t give applications more access rights than they need.

  • Question why an application requires the level of access it asks for, and think about the damage it might cause with that level of access.

  • Validate that the author or organization behind the application are legitimate and have credibility before giving them access to your repositories, the same as you would when onboarding a new committer to your project.

You’re only as secure as your weakest link, so if an application you’re giving access to has a poor security posture, a breach of their code gives attackers access to your code - one of your most sensitive assets.

Lastly, make sure you monitor or audit your applications and their contributors at regular intervals to ensure you still need them, still trust them, and still deem them worthy of the access they require. Keep on top of your application management and remove those that you no longer need or require rights that you’re not comfortable giving.

7. Add security testing to PRs

Bitbucket has a powerful event-driven Git Hook framework that allows you to send HTTP POST requests to a service of your choice when events are fired. There are a vast number of events you can choose to act upon, but one of the most useful for testing your incremental code changes is the pull_request event. There are many static code analysis tools that support Git Hooks such that when a PR is created, an HTTP POST is fired to prompt them to test your latest updates. This is a great point in time to ensure that code and config changes being made are aligned with your security expectations.

Snyk, as an example, statically analyzes your repo to find vulnerable dependencies you may be using and helps you fix them. You can test your repos through Snyk’s UI to find issues, but also to keep developers from adding new vulnerable libraries by testing pull requests and failing the test if a new vulnerability was introduced.

Beyond the convenient integration into Bitbucket, pull requests are better than “breaking the build” in the fact that they don’t have to block a merge (in fact, they’re informational by default), and their ability to test your changes, not just the outcome (e.g. fail only if you introduced a vulnerable library, not if there was one there already).

In addition to Snyk, you should also consider using SonarCloud or CodeClimate to perform automated security code reviews. Additionally consider adding a ScriptRunner script to ensure you aren’t pushing any secrets into your repo.

8. Add security testing in your Bitbucket pipes

Bitbucket Pipes allows you to customize and automate a CI/CD workflow from a group of ready-to-use tasks. Snyk provides a ready-to-use pipe that scans your application dependencies and Docker images for known open source security vulnerabilities as part of the continuous integration/continuous delivery (CI/CD) workflow.

To add the Snyk pipe to your workflow, simply copy the Snyk pipe and paste it into the pipeline.

Once added to the Bitbucket Pipeline workflow, the Snyk pipe scans your dependencies for open source vulnerabilities as part of the CI/CD workflow. If vulnerabilities are found, the Snyk pipe gates the process according to your pre-configured setup. For example, preventing high severity vulnerabilities from going through the build. For more information, please check the documentation pages.

Another pipe that you should consider including in your pipeline to improve your security resilience is SonarCloud.

9. Use the right Bitbucket offering for your security needs

Depending on your project or organizational regulations, you may be restricted to software that can only run locally. Or perhaps the restrictions are placed on where your source code is stored or on which other organizations can have access to it. This is a common restriction for financial institutions, government departments or other tightly regulated industries. However this doesn’t mean that you can’t use Bitbucket!

Take a look at the fully on-prem Bitbucket Server offering, which allows you to fully host Bitbucket repositories within your organization. This means your can be disconnected from the internet and still have internal access to your projects within your Bitbucket Server repositories.

10. Rotate SSH keys and personal access tokens

Bitbucket access is typically done using SSH keys or personal user tokens (in lieu of a password, because you enabled 2FA!). But what happens if those tokens are stolen and you didn’t know? Be sure to refresh your keys and tokens periodically, mitigating any damage caused by keys that leaked out.

For further reading on Bitbucket security, make sure you also read the Bitbucket security advisories. And if you haven’t done so yet, make sure you download this cheat sheet now and pin it up, so your future decisions are secure decisions!

Cheat sheet: 10 Bitbucket security best practices | Snyk (2024)

FAQs

Cheat sheet: 10 Bitbucket security best practices | Snyk? ›

Unlike cloud solutions, there is no shared responsibility, and all responsibility lies with your security team to make sure that the repository is protected from hackers and internal threats. Careless users such as developers still present a security challenge.

How to secure a Bitbucket repository? ›

Top 6 Bitbucket Security Best Practices
  1. Keep Bitbucket Updated & Regularly Patched. ...
  2. Enact Strong Access Controls. ...
  3. Remove Sensitive Data in Your Bitbucket Repository. ...
  4. Review and Audit Activity Logs in the Bitbucket Supply Chain. ...
  5. Implement Bitbucket Branch Permissions and Code Reviews.
Nov 21, 2023

What are two good security practices we should adhere to when managing code repositories? ›

Safeguarding Your GitHub: Best Practices for Repository Security.
  • Introduction. ...
  • Enable Two-Factor Authentication (2FA) ...
  • Use Strong and Unique Passwords. ...
  • Regularly Review and Update Access Permissions. ...
  • Implement Branch Protection Rules. ...
  • Regularly Update Dependencies and Packages. ...
  • Leverage Code Scanning and Analysis Tools.

Who is the responsible party for ensuring the repository is free of security issues? ›

Unlike cloud solutions, there is no shared responsibility, and all responsibility lies with your security team to make sure that the repository is protected from hackers and internal threats. Careless users such as developers still present a security challenge.

How to store passwords in Bitbucket? ›

Bitbucket Support
  1. Log into or connect to Bitbucket Cloud.
  2. App passwords. Create an App password. App password permissions. Using App passwords. Revoke an App password. Add an App password to Sourcetree or another application.
  3. Manage Bitbucket and account settings.
  4. Access Tokens.

How do I protect branches in Bitbucket? ›

Start by navigating to the repository you want to limit permissions for, select Repository settings, then select Branch restrictions. Add permissions to Main branch: Select Add a branch restriction.

How do I protect my public repository? ›

From the main page of your repository, click Settings. Click Code security & analysis. Next to Secret scanning, click Enable.

Which of the following are security best practices? ›

Top 10 Security Practices
  • Log off public computers. ...
  • Back up important information ... and verify that you can restore it. ...
  • Keep personal information safe. ...
  • Limit social network information. ...
  • Download files legally. ...
  • Ctrl-ALt-Delete before you leave your seat! ...
  • Secure your laptop, smart phone or other mobile devices.

What is the best secure code practice? ›

8 Secure Coding Best Practices
  • Security by Design.
  • Password Management.
  • Access Control.
  • Error Handling and Logging.
  • System Configuration.
  • Threat Modeling.
  • Cryptographic Practices.
  • Input Validation and Output Encoding.
Dec 27, 2023

What type of information should never be stored in source code repositories? ›

Sensitive information can include passwords, tokens, secrets, access keys, SSH keys, certificates, and hostnames, etc. Such information should never be hardcoded in source code or pushed as part of a configuration file. However, mistakes do happen.

How do I set authentication in Bitbucket? ›

2. Configure Bitbucket
  1. Navigate to the Git Authentication Configuration tab, enable Authentication from Git Client and select OneLogin as IdP.
  2. Now enter Client ID and Client Secret.
  3. Enter the region code from where you want authentication. Eg: us or eu.
  4. Click on Save.

How to save Bitbucket credentials? ›

The Git Credential Manager can indeed be used to store your authentication credentials for Bitbucket Cloud. You can install GCM following the instructions of official GCM installation guide , and it should already configure your git environment to start using GCM as the credential helper to cache your app password.

How do I store large files in Bitbucket? ›

There is currently a 10 GB size limit for the file upload into the media storage. Uploading files larger than 10 GB will result in an error. Use the Git LFS extension with a repository to speed up the handling of large files. Use the Git Large File Storage (LFS) extension with an existing Bitbucket Cloud repository.

How do I make my Bitbucket repository private? ›

Because public repositories allow public forks, you must make your repository private to restrict forking.
  1. From the repository, click Repository settings in the sidebar.
  2. From the Repository details page, if you don't see the Forking option, select This is a private repository.

How do I restrict access to Bitbucket? ›

From the Access controls page, select the Restrict access to certain IP addresses option. Click Add or remove IP addresses. A popup opens. Enter an IP address or a network block for a set of IP addresses.

How do I create a Bitbucket repository password? ›

Create an App password
  1. Select the Settings cog in the upper-right corner of the top navigation bar.
  2. Under Personal settings, select Personal Bitbucket settings.
  3. On the left sidebar, select App passwords.
  4. Select Create app password.

How do I authenticate a Bitbucket repository? ›

2. Configure Bitbucket
  1. Navigate to the Git Authentication Configuration tab, enable Authentication from Git Client and select OneLogin as IdP.
  2. Now enter Client ID and Client Secret.
  3. Enter the region code from where you want authentication. Eg: us or eu.
  4. Click on Save.

References

Top Articles
Energy Pulse: in brief (4th August) | Wood Mackenzie
The Curacao Private Beach Hopping / Snorkeling Tour
Zuercher Portal Inmates Clinton Iowa
Why shamanism is red hot right now: 12 things you need to know
Craigslist Greencastle
How Much Is Vivica Fox Worth
Survivor Australia Wiki
Flag Mashup Bot
Zenuwbeknelling in de voorvoet (Mortons neuroom)
Bowling Pro Shop Crofton Md
Julia Is A Doctor Who Treats Patients
Wdel News Today
Dealer 360 Login Generac
Chittenden County Family Court Schedule
Gdp E239 Bts
Chicken Coop Brookhaven Ms
Stanford Rival Crossword Clue
Dr Bizzaro Bubble Tea Menu
Soul Attraction Rs3
Gebrauchte New Holland T6.145 Deluxe - Landwirt.com
Huniepop Jessie Questions And Answers
Cherry Crush Webtoon Summary
The Secret Powers Of Doodling
Becker-Hunt Funeral Home Obituaries
Money Rose Stencil
Spicy Bourbon Pumpkin Pie
Car Star Apple Valley
Davias Grille
Osrs Toby
Abby's Caribbean Cafe
OC IDEAS TO DRAW [80+ IDEAS!] ✍🏼 | Spin the Wheel - Random Picker
Lvaction Login
인민 을 위해 복무하라 다시보기
San Bernardino Pick A Part Inventory
Unblocked Games 66E
Palm Coast Permits Online
Keanu Reeves cements his place in action genre with ‘John Wick: Chapter 4’
Are Huntington Home Candles Toxic
Warrior Badge Ability Wars
Intoxalock Calibration Locations Near Me
Crystal Westbrooks Nipple
Nycda Login
MyEyeDr. near Lind<b>ergh Center Metro Station
Glyph Of The Trusted Steed
Daftpo
United States Map Quiz
Summer Rae on WWE return: Royal Rumble is 'step in the right direction'
Ucf Cost Calculator
Vegansoda Mfc
New Application Instructions · Government Portal
Pike County Buy Sale And Trade
Latest Posts
Article information

Author: Melvina Ondricka

Last Updated:

Views: 5851

Rating: 4.8 / 5 (48 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Melvina Ondricka

Birthday: 2000-12-23

Address: Suite 382 139 Shaniqua Locks, Paulaborough, UT 90498

Phone: +636383657021

Job: Dynamic Government Specialist

Hobby: Kite flying, Watching movies, Knitting, Model building, Reading, Wood carving, Paintball

Introduction: My name is Melvina Ondricka, I am a helpful, fancy, friendly, innocent, outstanding, courageous, thoughtful person who loves writing and wants to share my knowledge and understanding with you.