Bitbucket Cloud Personal Access Token (Legacy)
Support for the Bitbucket Cloud (Legacy) Personal Access Token (PAT) integration will continue for Snyk users who configured it prior to mid October 2022.
If you're new to Snyk, the Legacy integration tile may not be available on the Integrations page.
Snyk recommends installing or migrating to the Bitbucket Cloud Application for smoother integration and to ensure long-term support.
Snyk's Bitbucket Cloud PAT integration lets you:
- Continuously perform security scanning across all the integrated repositories
- Detect vulnerabilities in your open source components
- Provide automated fixes and upgrades
The newly created user must have Admin permissions to all the repositories you need to monitor with Snyk.Admin permissions are required; however, Snyk's access is ultimately limited by the permissions assigned to the App Password.
- 1.To give Snyk access to your Bitbucket account, set up a dedicated service account in Bitbucket, with admin permissions. See the Bitbucket documentation to learn more about adding users to a workspace.
- 2.In Snyk, go to the Integrations page, open the Bitbucket Cloud card and configure the Account credentials.
- 3.In the Account credentials > Creating an app password section in Snyk, use the link(Create an App password) to jump to your Bitbucket Cloud account.
- 4.Follow the Bitbucket procedure to set up an account with the following permissions:
- Account: Email & Read
- Workspace membership: Read
- Projects: Read
- Repositories: Read & Write
- Pull requests: Read & Write
- Webhooks: Read & Write
- 5.Enter the username and the App Password for the Bitbucket account you created, and Save your changes. You can find your username under the Bitbucket Personal settings. Snyk connects to your Bitbucket Cloud account. When the connection succeeds, the following confirmation appears:
After you connect Snyk to your Bitbucket Cloud account, you can select repositories for Snyk to monitor.
- 1.In Snyk, go to Integrations > Bitbucket Cloud card, and click Add your Bitbucket Cloud repositories to Snyk to start importing repositories to Snyk.
- 2.Choose the repositories you want to import to Snyk and click Add selected repositories.
After you add them, Snyk scans the selected repositories for dependency files in the entire directory tree, (that is,
package.json
, pom.xml
, and so on) and imports them to Snyk as projects.The imported projects appear in your Projects page and are continuously checked for vulnerabilities.
%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(12).png?alt=media)
The Imported projects in your Projects page
Once the integration is in place, you'll be able to use capabilities such as:
Snyk produces advanced security reports that let you explore the vulnerabilities found in your repositories, and fix them immediately by opening a fix pull request directly to your repository, with the required upgrades or patches.
The example below presents a project-level security report.

An example of a project-level security report
Snyk scans your projects on either a daily or a weekly basis. When new vulnerabilities are found, Snyk notifies you by email and by opening automated pull requests with fixes for your repositories.
The example below presents a fix Pull Request opened by Snyk.

Example of an automatic fix Pull Request opened by Snyk
To review and adjust the automatic fix pull request settings:
- 1.In Snyk, go to(Organization settings) > Integrations > Source control > Bitbucket Cloud, and click Edit Settings.
- 2.Scroll to the Automatic fix pull requests section and configure the relevant options.
%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(2).png?alt=media)
Modify the automatic fix pull requests
Unlike manual pull requests opened from the Bitbucket interface, Snyk pull requests are not automatically assigned to the default reviewer set in your Bitbucket Cloud account.
Snyk tests any newly created pull request in your repositories for security vulnerabilities and sends a build check to Bitbucket Cloud. You can to see whether the pull request introduces new security issues, directly from Bitbucket Cloud.
The example below presents a Snyk pull request build check on the Bitbucket Cloud Pull Request page.

Example of a Snyk pull request build check on the Bitbucket Cloud Pull Request page
To review and adjust the pull request tests settings,
- 1.In Snyk, go to(Organization settings) > Integrations > Source control > Bitbucket Cloud, and click Edit Settings.
- 2.Scroll to Default Snyk test for pull requests > Open Source Security & Licenses, and configure the relevant options.

Configuring the options for pull request Open Source Security & Licenses
All the operations, whether triggered manually or automatically, are performed for a Bitbucket Cloud service account that has its token (App Password) configured in the Integration settings.
The table below presents the required access scopes for the configured token:
Action | Purpose | Required permissions in Bitbucket |
---|---|---|
Daily / weekly tests | Used to read manifest files in private repos | Repositories: Read |
Manual fix pull requests (triggered by the user) | Used to create fix PRs in the monitored repos | Repositories: Read, Write Pull requests: Read, Write |
Automatic fix and upgrade pull requests | Used to create fix / upgrade PRs in the monitored repos | Repositories: Read, Write Pull requests: Read, Write |
Snyk tests on pull requests | Used to send pull request status checks whenever a new PR is created / an existing PR is updated | Repositories: Read, Write Pull requests: Read, Write |
Importing new projects to Snyk | Used to present a list of all the available repos in the Bitbucket in the "Add Projects" screen (import popup) | Account: Read Workspace membership: Read Projects: Read |
Snyk tests on pull requests - initial configuration | Used to add SCM webhooks to the imported repos. Snyk uses these webhooks to:
| Webhooks: Read, Write |
For Snyk to perform the required operations on monitored repositories (such as reading manifest files on a frequent basis and opening fix or upgrade PRs), the integrated Bitbucket Cloud service account needs Admin permissions on the imported repositories:
Action | Purpose | Required permissions on the repository |
---|---|---|
Daily / weekly tests | Used to read manifest files in private repositories. | Write or above |
Snyk tests on pull requests | Used to send pull request status checks when a new PR is created, or an existing PR is updated. | Write or above |
Opening fix and upgrade pull requests | Used to create fix PRs in monitored repositories. | Write or above |
Snyk tests on pull requests - initial configuration | Used to add SCM webhooks to the imported repos. Snyk uses these webhooks to:
| Admin |
To disable this integration, in
(Organization settings)> Integrations:

- 1.In your list of integrations, select the Bitbucket integration you want to deactivate and click Edit settings to open a page with the current status of your integration. The page includes sections that are specific to each integration, where you can manage your credentials, API key, Service Principal, or connection details.
- 2.Scroll to the relevant section and click Disconnect.

Disconnect button at the bottom left of the Disconnect from Bitbucket Cloud section
WARNING
When you disconnect Snyk from your repository projects, your credentials are removed from Snyk and any integration-specific projects that Snyk is monitoring are deactivated in Snyk.
If you choose to re-enable this integration later, you'll need to re-enter your credentials and activate your projects.