Integrate Cortex Cloud Application Security with your Bitbucket Data Center version control system (VCS) to enable security scans for exposed secrets, infrastructure-as-code (IaC) misconfigurations, vulnerabilities, package operational risks, and license compliance issues in your repositories. This integration allows you to analyze, prioritize, and resolve detected issues efficiently.
Architecture and connectivity
While never strictly required, deploying a Transporter over a Broker VM is recommended for isolated environments where the Cortex Cloud platform has no direct way to reach your internal enterprise resources. In these scenarios, the Transporter solves the connectivity problem by:
Living inside your network as an applet on the Broker VM
Initiating an outbound WebSocket connection to the cloud, meaning no inbound firewall rules or direct IP access are needed
Proxying requests from the cloud to internal resources, allowing Cortex Cloud to perform secure code scanning without exposing your internal network to the public cloud
For more information on Transporter, refer to Transporter over Broker VM.
If your Bitbucket Data Center instance is already internet-accessible or managed via existing connectivity solutions (such as a VPN or network peering), the Transporter is not needed.
Supported versions: This integration supports Bitbucket Data Center and Data Center Server versions 8 and later.
How to integrate Bitbucket Data Center
Prerequisite
Before you begin:
Bitbucket authorization (PAT): You must generate a Personal Access Token (PAT) within your Bitbucket Server account settings to authenticate the connection. For detailed instruction on creating a PAT in Bitbucket Server, refer to Reference: Creating a PAT in Bitbucket Data Center
NOTE: OAuth authentication is not supported as an authentication method.
Scopes and permissions: The PAT must be scoped with Administrator permissions for both Projects and Repositories
PAT expiration and rotation: For security purposes, it is highly recommended to configure the PAT to expire automatically. Because this token is static, setting an expiration means you must proactively rotate it before it expires to avoid connection disruptions. For detailed instructions on rotating a PAT refer to Rotate integration tokens
Onboarding port: Port
443is required for all on-premise onboarding for outbound HTTPS communication to Cortex Cloud. If the Transporter is used, it specifically uses port443for its WSS tunnel
Onboarding steps
Search forBitbucket Data Center, hover over it, and click Add, or Add Another Instance if an instance is already onboarded.
Enter your domain in the Configure Domain step of the wizard and click Next.
Optional: Connect a Transporter: Select your Broker VM and associated Transporter applet from the provided menus.
Note
For more information about the Transporter, including setup instructions, refer to Transporter over Broker VM.
Click .
On the Create a Personal Access Token step:
Paste your Bitbucket PAT and click Next.
Under Selection Options of the Select Repositories step:
Choose the repositories to be connected to the instance:
Permit all existing repositories
Permit all existing and future repositories
Select Choose from repository list and select repositories from the list
Click Save.
Click Close on the final step.
Note
Ensure that you receive the Instance Successfully Created message on this step, indicating successful instance creation.
Verify integration
On the Data Sources & Integrations page, search for Bitbucket Data Center.
Hover over and select the resulting entry.
Locate your instance and verify that the status is Connected.
Next steps
View repository assets and mitigate detected issues.
Subscribed events
Below is a comprehensive list of events to which Cortex Cloud Application Security is subscribed. These events encompass various actions and changes occurring within your Bitbucket Data Center environment that trigger notifications and integrations with Cortex Cloud Application Security.
Subscribed events for the CI/CD module
These events are specific to the CI/CD module to which Cortex Cloud is subscribed. They encompass various actions and changes occurring within your CI/CD environment that trigger notifications and integrations with Cortex Cloud.
Rotate integration tokens
Rotate integration tokens to enhance security and prevent unauthorized access.
Create a PUT request: PUT /public_api/appsec/v1/integrations/{id} with the following body:
{
"token": "new token"
}To locate your integration ID:
Under Cortex Cloud Application Security select → .
Hover over Bitbucket Data Center and click View Details.
Select the required instance from the list and retrieve the cas_connector_id from the URL.
Manage data source integrations
Manage integrations to align with evolving requirements and ensure they remain current.
Navigate to → and use the Vendor filter to located the required integration.
Select your vendor from the list.
The integrated instances for the selected vendor are displayed.
Right-click on an instance and select an option:
: Redirects to the Select Repositories step of the integration wizard, where you can modify configurations for the selected instance. For more details, refer to the relevant integration guide
: When confirmed, deletes the instance, including data from previous scans
Copy entire row – Copies all column values for the selected row to the clipboard.
Reference: Creating a PAT in Bitbucket Data Center
If you do not already have a properly scoped Personal Access Token for this integration, follow these steps within your Bitbucket Data Center environment.
Important
Always refer to the Bitbucket documentation for information relating to creating a PAT.
Navigate to → → → .
Provide a token name.
Select the Permissions scope.
Projects: Administrator permissions
Repositories: Administrator permissions
Note
By default, the permissions of the access token are set according to your current access level. It is essential to define two levels of permissions, Project and Repository permissions. The Repository permissions inherit from Project permissions, requiring Repository permissions to match or exceed Project permissions
Providing read and write permissions to the necessary repositories enables Cortex Cloud Application Security to copy files for scanning and access repository settings. This enables automated responses to pull requests, including creating fix PRs and adding comments
Select the Expire automatically option.
Note
For additional security, it is recommended to set an expiry automatically. The expiry date of a token cannot be changed after it is created. You can see the expiry dates for all your tokens on → → .
Click .
Copy the generated token from the dialog.