Bitbucket Cloud - Integrate Bitbucket Cloud to scan for secrets, IaC misconfigurations, vulnerabilities, and license compliance to strengthen your VCS security posture. - Administrator Guide - Cortex Cloud Posture Management

Bitbucket Cloud - Integrate Bitbucket Cloud to scan for secrets, IaC misconfigurations, vulnerabilities, and license compliance to strengthen your VCS security posture. - Administrator Guide - Cortex Cloud Posture Management - Cortex CLOUD

Cortex Cloud Posture Management Documentation

Product

Cortex Cloud Application Security > Cortex CLOUD

License

Cloud Posture Management

Creation date

2025-01-22

Last date published

2026-06-04

How to integrate Bitbucket Cloud

Prerequisite

Before you begin:

Cortex Cloud user permissions: Ensure you have View/Edit permissions for Data Sources and Integrations (RBAC: AppSec Admin or Instance Administrator)
Bitbucket permissions: In Bitbucket, grant the user performing the Cortex application authorization the following permissions. The level of access required depends on the modules you intend to use:
- For code scanning: The user must have Write access:
  - Workspace group with default repository access: Add the user to a workspace group whose default repository access is set to Write
  - Repository permissions: Ensure the user has Write permissions on each repository that the Cortex application needs to access: Go to Bitbucket > Repository Settings and grant the user write access to the relevant repositories
- For CI/CD security module: The user requires Administrator permissions for both Projects and Repositories
  Note
  If you intend to use CI/CD security, you must grant Administrator access now to prevent integration errors later.
For more information on Bitbucket Cloud permissions refer to the Bitbucket Authentication documentation.
Bitbucket authentication (OAuth 2.0): Cortex Cloud exclusively uses an OAuth flow for Bitbucket Cloud integrations.
- Automated token refresh: There is no need to manually rotate tokens, as the OAuth integration automatically refreshes tokens in the background
NOTE: Personal Access Tokens (PATs) are not supported as an authentication method.
Scope: The Cortex application requires the following authorization scopes:
Read more...
project: Provides access to view the project or projects. This scope implies the repository scope, giving read access to all the repositories in a project or projects
repository: Provides read access to a repository or repositories. Note that this scope does not give access to a repository’s pull requests. Includes 'access to the repo’s source code', 'clone over HTTPS', 'access the file browsing API', 'download zip archives of the repo’s contents', 'the ability to view and use the issue tracker on any repo (created issues, comment, vote, etc)', 'the ability to view and use the wiki on any repo (create/edit pages)'
repository:write: Provides write (not admin) access to a repository or repositories. No distinction is made between public and private repositories. This scope implicitly grants the repository scope, which does not need to be requested separately. This scope alone does not give access to the pull requests API. Includes 'push access over HTTPS' and 'fork repos'
pullrequest: Provides read access to pull requests. This scope implies the repository scope, giving read access to the pull request’s destination repository. Includes 'see and list pull requests', 'create and resolve tasks' and 'comment on pull requests'
pullrequest:write: Implicitly grants the pullrequest scope and adds the ability to create, merge and decline pull requests. This scope also implicitly grants the repository:write scope, giving write access to the pull request’s destination repository. This is necessary to allow merging. Includes 'merge pull requests', 'decline pull requests', 'create pull requests' and 'approve pull requests'
issue: The ability to interact with issue trackers the way non-repo members can. This scope doesn’t implicitly grant any other scopes and doesn’t give implicit access to the repository. Includes 'view, list and search issues', 'create new issues', 'comment on issues', 'watch issues' and 'vote for issues'
issue:write: This scope implicitly grants the issue scope and adds the ability to transition and delete issues. This scope doesn’t implicitly grant any other scopes and doesn’t give implicit access to the repository. Includes 'transition issues' and 'delete issues'
webhook: Gives access to webhooks. This scope is required for any webhook-related operation.
This scope gives read access to existing webhook subscriptions on all resources the authorization mechanism can access, without needing further scopes. For example, a client can list all existing webhook subscriptions on a repository. The repository scope is not required. Existing webhook subscriptions for the issue tracker on a repo can be retrieved without the issue scope. All that is required is the webhook scope.
To create webhooks, the client will need read access to the resource. For example, for issue:created, the client will need to have both the webhook and the issue scope. Includes 'list webhook subscriptions on any accessible repository, user, team, or snippet' and 'create/update/delete webhook subscriptions'
snippet: Provides read access to snippets. No distinction is made between public and private snippets (public snippets are accessible without any form of authentication). Includes 'view any snippet' and 'create snippet comments'
email: Ability to see the user’s primary email address. This should make it easier to use Bitbucket Cloud as a login provider for apps or external applications
account: When used for:
user-related APIs: Gives read-only access to the user’s account information. Note that this doesn’t include any ability to change any of the data. This scope allows you to view the user’s: email addresses, language, location, website, full name, SSH keys, user groups
workspace-related APIs: Grants access to view the workspace’s: users, user permissions, projects
pipeline: Gives read-only access to pipelines, steps, deployment environments and variables
pipeline:write: Gives write access to pipelines. This scope allows a user to: stop pipelines, rerun failed pipelines, resume halted pipelines and trigger manual pipelines
Egress path: Create an egress path to establish the designated route for outbound data transmission from Cortex Cloud to third party services. For more information about configuring egress paths, refer to Egress configurationsEgress configurations

Onboarding steps

On the Cortex Cloud tenant.
1. Select Settings → Data Sources & Integrations → + Add New.
2. Search for Bitbucket Cloud, hover over it, and click Add, or Add Another Instance if an instance is already onboarded.
3. Authenticate: Click Authorize on the Configure account step of the Bitbucket Cloud wizard.
  You are redirected to Bitbucket Cloud.
Authorize Cortex Cloud Application Security on Bitbucket Cloud: Review the requested permissions and then select Grant access.
You are redirected to the Select Repositories step of the integration wizard.
Configure repositories: Select the repositories to be connected to the instance:
- Permit all existing repositories
- Permit all existing and future repositories
- Select Choose from repository list and select repositories from the list
Select Save to confirm the repository selection and then Close on the final step of the wizard.
Note
Ensure that you receive the Instance Successfully Created message on this step, indicating successful instance creation.

Verify integration

On Data Sources & Integrations, search for Bitbucket Cloud.
Hover over and select the resulting entry.
Locate your instance and verify that the status is Connected.

Next steps

View repository assets and mitigate detected issues.

Subscribed events

Below is a comprehensive list of events to which Cortex Cloud Application SecurityBitbucket CloudCortex Cloud Application Security.

repo:push: This event is triggered whenever a push operation occurs within a repository, indicating that new commits have been added or existing commits have been updated
repo:fork: This event occurs when a repository is forked, creating a copy of the original repository within the same or a different workspace
repo:updated: This event is triggered when there are updates or changes made to the repository settings or configuration
repo:commit_comment_created: This event occurs when a new comment is created on a commit within the repository
repo:commit_status_created: This event is triggered when a new status or check is created for a commit within the repository
repo:commit_status_updated: This event occurs when the status or check of a commit within the repository is updated
issue:created: This event is triggered when a new issue is created within the repository
issue:comment_created: This event occurs when a new comment is added to an existing issue within the repository
issue:updated: This event is triggered when an existing issue within the repository is updated or modified
pullrequest:created: This event occurs when a new pull request is created within the repository
pullrequest:updated: This event is triggered when an existing pull request within the repository is updated or modified
pullrequest:fulfilled: This event occurs when a pull request is fulfilled or merged into the target branch
pullrequest:rejected: This event is triggered when a pull request is rejected or closed without being merged

Manage data source integrations

Manage integrations to align with evolving requirements and ensure they remain current.

Navigate to Settings → Data Sources & Integrations and use the Vendor filter to located the required integration.
Select your vendor from the list.
The integrated instances for the selected vendor are displayed.
Right-click on an instance and select an option:
- Edit instance: Redirects to the Select Repositories step of the integration wizard, where you can modify configurations for the selected instance. For more details, refer to the relevant integration guide
- Delete instance: When confirmed, deletes the instance, including data from previous scans
- Copy entire row – Copies all column values for the selected row to the clipboard.