Snyk Bitbucket Cloud integration

Feature availability This feature is available for all plans. See pricing plans for more details.

Snyk recommends installing or migrating to the Bitbucket Cloud Application for smoother integration and to ensure long-term support.

The Snyk Bitbucket Cloud (PAT) integration lets you:

  • Continuously perform security scanning across all the integrated repositories

  • Detect vulnerabilities in your open-source components

  • Provide automated fixes and upgrades

How to set up the Snyk Bitbucket Cloud Integration

Admin permissions are required; however, Snyk's access is ultimately limited by the permissions assigned to the App Password.

  1. To give Snyk access to your Bitbucket account, set up a dedicated service account in Bitbucket with admin permissions. See the Bitbucket documentation to learn more about adding users to a workspace. The newly created user must have Admin permissions to all the repositories you need to monitor with Snyk.

  2. In Snyk, go to the Integrations page, open the Bitbucket Cloud card, and configure the Account credentials.

  3. Follow the Bitbucket procedure to set up an account with the following permissions:

    • Account: Email & Read

    • Workspace membership: Read

    • Projects: Read

    • Repositories: Read & Write

    • Pull requests: Read & Write

    • Webhooks: Read & Write

    See the Bitbucket documentation for more details about the procedure.

How to add Bitbucket repositories to Snyk

After you connect Snyk to your Bitbucket Cloud account, you can select repositories for Snyk to monitor.

  1. In Snyk, go to Integrations > Bitbucket Cloud card, and click Add your Bitbucket Cloud repositories to Snyk to start importing repositories to Snyk.

  2. Choose the repositories you want to import to Snyk and click Add selected repositories.

After you add the selected repositories, Snyk scans them for dependency files in the entire directory tree, that is, package.json, pom.xml, and so on, and imports them to Snyk as Projects.

The imported projects appear on your Projects page and are continuously checked for vulnerabilities.

Bitbucket integration features

After the integration is in place, you will be able to use capabilities such as:

Project-level security reports

Snyk produces advanced security reports that let you explore the vulnerabilities found in your repositories and fix them immediately by opening a fix pull request directly to your repository, with the required upgrades or patches.

The example that follows shows a Project-level security report.

Project monitoring and automatic fix Pull Requests

Snyk scans your Projects on either a daily or a weekly basis. When new vulnerabilities are found, Snyk notifies you by email and by opening automated pull requests with fixes for your repositories.

The example that follows shows a fix Pull Request opened by Snyk.

To review and adjust the automatic fix pull request settings:

  1. Scroll to the Automatic fix PRs section and configure the relevant options.

Unlike manual pull requests opened from the Bitbucket interface, Snyk pull requests are not automatically assigned to the default reviewer set in your Bitbucket Cloud account.

For more information, see Snyk automated pull requests.

Pull request tests

Snyk tests any newly-created pull request in your repositories for security vulnerabilities and sends a build check to Bitbucket Cloud. You can see directly from Bitbucket Cloud whether or not the pull request introduces new security issues.

The example that follows shows a Snyk pull request build check on the Bitbucket Cloud Pull Request page.

To review and adjust the pull request tests settings:

  1. Scroll to Default Snyk test for pull requests > Open Source Security & Licenses, and configure the relevant options.

Required permissions scope for the Bitbucket Cloud integration

All the operations, whether triggered manually or automatically, are performed for a Bitbucket Cloud service account that has its token (App Password) configured in the Integration settings.

The table that follows shows the required access scopes for the configured token.

ActionPurposeRequired permissions in Bitbucket

Daily / weekly tests

Used to read manifest files in private repos

Repositories: Read

Manual fix pull requests (triggered by the user)

Used to create fix PRs in the monitored repos

Repositories: Read, Write

Pull requests: Read, Write

Automatic fix and upgrade pull requests

Used to create fix / upgrade PRs in the monitored repos

Repositories: Read, Write Pull requests: Read, Write

Snyk tests on pull requests

Used to send pull request status checks whenever a new PR is created or an existing PR is updated

Repositories: Read, Write Pull requests: Read, Write

Importing new projects to Snyk

Used to present a list of all the available repos in the Bitbucket instance in the "Add Projects" screen (import popup)

Account: Read

Workspace membership: Read

Projects: Read

Snyk tests on pull requests: initial configuration

Used to add SCM webhooks to the imported repos. Snyk uses these webhooks to:

  • Track the state of Snyk pull requests when PRs are created, updated triggered, merged, and so on

  • Send push events to trigger PR checks

Webhooks: Read, Write

Required permissions scope for repositories

For Snyk to perform the required operations on monitored repositories, such as reading manifest files on a frequent basis and opening fix or upgrade PRs, the integrated Bitbucket Cloud service account needs Admin permissions on the imported repositories.

ActionPurposePermissions required on repo

Daily / weekly tests

Used to read manifest files in private repositories.

Write or above

Snyk tests on pull requests

Used to send pull request status checks when a new PR is created or an existing PR is updated.

Write or above

Opening fix and upgrade pull requests

Used to create fix PRs in monitored repositories.

Write or above

Snyk tests on pull requests - initial configuration

Used to add SCM webhooks to the imported repos. Snyk uses these webhooks to:

  • Track the state of Snyk pull requests when PRs are created, updated, triggered, merged, and so on.

  • Send push events to trigger PR checks.

Admin

How to disconnect Snyk from Bitbucket Cloud

When you disconnect Snyk from your repository Projects, your credentials are removed from Snyk, and any integration-specific Projects that Snyk is monitoring are deactivated in Snyk. If you choose to re-enable this integration, you must re-enter your credentials and activate your Projects.

  1. In your list of integrations, select the Bitbucket integration you want to deactivate and click Edit settings to open a page with the current status of your integration. The page includes sections that are specific to each integration, where you can manage your credentials, API key, Service Principal, or connection details.

  2. Scroll to the relevant section and click Disconnect.

Last updated

More information

Snyk privacy policy

© 2023 Snyk Limited | All product and company names and logos are trademarks of their respective owners.