The Latest Features in Soteri’s Security for Bitbucket
Over the last quarter, we’ve added some impressive enhancements to Security for Bitbucket that give users greater control over their security scans, streamline auditing, and improve performance.
They are:
- Interactively review & hide false positives
- Grant access to additional users and groups
- Warn-only mode for the security hook
- Email notifications upon scan completion
- Bypass the security hook via a special string in the commit message
- New & updated built-in scan rules
- Dramatic performance improvements
We review each of them in detail below.
Interactively review & hide false positives
Sometimes, Security for Bitbucket will find issues that are false positives (or real credentials which have already been revoked). For these cases, there is now a “Mark reviewed” button next to each finding. Any reviewed findings are ignored in all current and future scans for that repository, without needing to commit to code.
Grant access to additional users and groups
Often the teams responsible for security audits are different than the ones administering Bitbucket. For this reason, we’ve added a global configuration that specifies what users and groups can access the security scan reports, in addition to the defaults.
All users granted access via the new global config will be able to see and interact with the global Security Scan Report, update the scanning settings, and view scan reports for individual repositories that they have read access to. Additional details here.
To grant access,
- Go to Administration → Add-Ons → Security for Bitbucket Settings.
- Under “App access for additional users and groups”, add the user or group which you would like to gain access to the global settings and reports
Warn-only mode for the pre-receive security hook
As you know, Soteri Security for Bitbucket contains a pre-receive hook, which can run a scan on any code before it is pushed into Bitbucket. Previously, the Security Hook could only run in “Reject” mode, which blocked any push if any matches were found.
However, there is now a “Warn-only mode” which prints a message to the pusher notifying them of the scan failures, but still allows the push to succeed. This can help organizations through the transition to establishing more secure development practices.
To enable “Warn-only mode”, navigate to the Repository Settings → Hooks and click the pencil button next to the “Reject Vulnerable Commits” hook:
The Warn-only mode can also be enabled by default globally via the Security for Bitbucket Settings page:
Email notifications upon scan completion
We have also added a way to configure email alerts for scan results after the scan is finished. You can enable this when triggering a scan via the REST API by adding additional “email” parameters.
Here is an example of what it might look like when scheduling a re-scan of all data on your Bitbucket with a single REST-call.
curl -u admin -X PUT "https://{bitbucket.server}/rest/security/latest/status/total_rescan?force=false{&email=admin@company.co}"
You can see examples of various scopes of scans here.
Bypass the security hook via a special string in the commit message
Sometimes when the pre-receive hook is enabled, synchronous scanning of pushes is excessively slow, or not feasible due to the size or complexity of the commits pushed.
In such cases, where a relief valve is needed, developers can now include the string **skip-soteri-security-check** in the commit message of the commit which should not be scanned.
If a scan is subsequently triggered via the Repository Scan Report page or the Global Scan Dashboard, the contents of the commit will be scanned. The bypass directive applies to the pre-receive hook only. Additionally, pushes with skipped hooks are logged so that they can be audited by security teams.
New & updated built-in scan rules
We’ve added a number of cloud service API keys that are now detected by default in Soteri’s Security for Bitbucket.
These new rules include:
- AZURE_ACCESS_KEY
- DYNATRACE_CLIENT_SECRET
- LINKEDIN_CLIENT_SECRET
- PYPI_UPLOAD_TOKEN
- SENDGRID_API_KEY
- SHOPIFY_PARTNER_API_ACCESS_TOKEN, SHOPIFY_SECRETS
In addition, GITHUB_KEY has been updated to support the new GitHub token format.
Performance Improvements
We’re also happy to share that we’ve made several performance enhancements! Expect:
- Dramatically faster scanning in multi-node environments — scans are now parallelized between nodes, whereas previously all scans ran on a single Bitbucket node.
- Much faster export of reports
- Much faster queuing of scans
Get Started with Soteri Today
Soteri’s Security for Bitbucket is available on the Atlassian Marketplace.
- Log into your Bitbucket instance as an admin and choose “Manage Add-ons”, or go to the Atlassian Marketplace.
- Locate Security for Bitbucket — Soteri and click “Try it free”.
- You’re all set! Click Close in the “Installed and ready to go” dialog.
As always, feel free to reach out at hello@soteri.io, or at our service desk.