What the connector discovers

• Workspaces, Projects & Repositories

  Workspace settings, project-level permissions, repository visibility/default branch, forking model and mirroring.

---

• Members, Groups & Permissions

  Workspace/project/repo permissions, groups & user membership (direct/inherited), external collaborators.

---

• Branch Restrictions & Merge Checks

  Push/merge restrictions, required reviews/status checks, no-force-push, linear history; protected tags & release rules (Bitbucket Cloud/Server/DC parity).

---

• Pipelines, Runners & Variables

  Bitbucket Pipelines status, self-hosted runners, secured/secret variables (metadata only), environment approvals and deployment rules.

---

• SSH Keys, App Passwords & Tokens

  Repository/project deploy keys, user SSH keys (metadata), app passwords and OAuth tokens (metadata), rotation windows and usage hints.

---

• Webhooks, Integrations & Audit

  Repo/workspace webhooks (endpoints/active), integrations (Jira, Slack, etc.), audit events for installs, permission changes and security settings.

---

• Effective Permissions

  Identity (app/token/runner) → permissions/policy → repository/environment → allowed actions at time-of-execution.

Bitbucket hosts source and CI/CD for many Atlassian-centric teams. Apps, tokens, runners and webhooks can move code and secrets at scale. ClarioSec adds **runtime governance**: drift-aware scoring, pre-execution controls and audit-grade narratives.

Connect Bitbucket (Cloud or Server/Data Center)

For **Bitbucket Cloud**, use an **OAuth 2.0 consumer** (preferred) or a **Workspace App Password** with read scopes. For **Bitbucket Server/Data Center**, provide the **base URL** and a token with read APIs.

• Bitbucket Cloud — OAuth Consumer

  Workspace settings → OAuth consumers → Add consumer. Enable read scopes: account, team, repository, pullrequest, webhook, pipeline, project. Capture Key/Secret.

• Bitbucket Cloud — App Password (alt.)

  Create an app password with read on repositories, pipelines, webhooks, projects and account/team metadata. Store securely.

• Bitbucket Server/DC

  Provide base URL (e.g., https://bitbucket.yourdomain) and a token/user with read REST permissions for projects/repos/permissions/hooks/audit.

• Add in ClarioSec

  Open the Bitbucket connector and paste Workspace/Project org info, OAuth Key/Secret (or app password/token) — stored per tenant. ClarioSec honors rate limits.

High-value signals via Bitbucket REST APIs (metadata only):

• Workspaces, projects, repositories (visibility/default branch), forks/mirrors
• Members, groups, permissions (workspace/project/repo) — inherited vs direct
• Branch restrictions & merge checks; protected tags
• Pipelines, runners, variables & environments (metadata); approvals for deployments
• SSH deploy keys, app passwords, tokens (metadata) and rotation windows
• Webhooks, integrations (Jira/Slack), audit/security events (where supported)

• Missing branch restrictions & broad access

  Unprotected default branches, no required reviewers, write access for broad groups, open forks without review.

• Runner exposure & secret leakage

  Self-hosted runners shared too widely, unsecured images, variables not masked/protected, secrets echoed in logs.

• Ownerless webhooks & stale credentials

  Webhooks to external endpoints without owners; old app passwords/SSH keys never rotated.

• Just-in-time approvals for privileged pipeline jobs & secret reads
• Automatic permission minimization & rotation guidance (app passwords/keys)
• Enforce branch restrictions and merge checks for sensitive repos
• Audit-grade narratives mapped to SOC 2 / GDPR / ISO / AI Act