.png){kind=logo}
Bitbucket Sensor Guide
The Venafi Sensor User Guide provides instructions for deploying and operating the Venafi Sensor within the Keyfactor AgileSec Platform. This guide covers supported authentication methods, execution methods, configuration options, and troubleshooting.
Refer to Sensors Architecture and Overview for additional details on sensor architecture, data flows, incremental scanning, and auto-resolution.
Overview
The Bitbucket Sensor integrates Bitbucket (cloud or Bitbucket Enterprise) with Keyfactor's AgileSec Platform. It allows you to discover, inventory, and analyze cryptographic assets across multiple repositories within a Bitbucket workspace.
Key Features
Workspace-Wide Scanning: Scans all repositories in a Bitbucket workspace in a single execution.
Flexible Filtering: Use glob patterns to include or exclude specific repositories.
Deep Cryptographic Discovery: Automatically identifies certificates, private keys, keystores, and cryptographic libraries embedded in source code.
What Gets Scanned
The sensor downloads repository archives from Bitbucket and analyzes all files to discover:
X.509 Certificates: SSL/TLS certificates, code signing certificates, client authentication certificates
Private Keys: RSA, DSA, EC private keys in PEM, DER, and PKCS8 formats
Java Keystores: JKS, JCEKS, PKCS12 keystores
Tokens: JWT and JWE tokens
Cryptographic Libraries: OpenSSL, BouncyCastle, cryptography.io, and other crypto implementations
Code Artifacts: Embedded certificates in compiled code (JAR, WAR, EAR files)
Prerequisites
Bitbucket Requirements
Requirement | Details |
|---|---|
Protocol | HTTPS required for API access. |
Access | Network connectivity from the sensor machine to the Bitbucket server. |
API Access | Bitbucket REST API (v2) must be accessible. |
Remote Execution Requirements
If running the unified sensor remotely using CLI:
Component | Requirement |
|---|---|
Operating System |
|
RAM | 3 GB minimum, 4 GB recommended for large repositories |
Disk Space | Minimum 2x Size of your repository. |
Permissions | Read/Write access to working directory |
Supported Authentication Methods
The Bitbucket sensors uses either Basic Auth or Bearer Token Auth.
Basic Auth
Basic auth requires both the username and password fields. The username is the
email of the account used for authentication. The password is the API token.
To create an API token, first navigate to the BitBucket User Account Settings and follow the
dialogs in order:
"Account settings"
"Security"
"Create and manage API tokens"
"Create API token with scopes"
When creating the API token with scopes, select the following:
Under "Select the App", choose the first option "Bitbucket" API.
Grant the token the following scopes:
read:project:bitbucketread:repository:bitbucketread:workspace:bitbucket
The UI will then provide the token for use by this sensor. Store the token securely and
provide it as the password field.
Note: legacy app password authentication uses the same API and can be provided
as the password field.
Bearer Token Auth
Bearer Token auth is mutually exclusive with Basic Auth. It requires setting the "token" in the configuration file. For more information on bearer tokens, please see Bitbucket's documentation.
Running the Sensor
The Bitbucket sensor can be executed using the following methods:
Platform Scan Execution: Configure and execute scans directly though the Keyfactor AgileSec web UI with on-demand or scheduled execution options.
Using API: Programmatically trigger scans through REST API calls, enabling integration with CI/CD pipelines and automation workflows.
Remote Scan Execution: Deploy and run the sensor via CLI on customer-managed infrastructure for scenarios such as:
Scanning air-gapped or internal instances the platform cannot directly reach
Customers wanting to manage their own scheduling and execution environment.
Refer to Sensors Architecture and Overview: Running the Sensor for additional execution and flow details.
Platform Scan Execution
Running the sensor through the user interface is the simplest and fastest way to get started. It enables on-demand or scheduled scans to run in a dedicated environment.
Runs on Keyfactor AgileSec Platform
For on-premise deployments, scans run on scan nodes, or backend nodes.
For Kubernetes environments:
Leverages automatic resource provisioning and auto-scaling
Creates ephemeral sandbox pods for performing each scan.
Platform Scan Configuration
Step 1: Navigate to Sensors Setup Page
1.1 Open your browser and navigate to the Keyfactor AgileSec Platform Web URL
1.2 Log in with your credentials
1.3 Click on "Sensors" in the navigation bar.
Step 2: Select Bitbucket Sensor
2.1 Click the "Choose a Sensor" button
2.2 Browse or search for "Bitbucket".
2.3 Click on the Bitbucket sensor card
This will open the sensor configuration interface.
Step 3: Configure Sensor Parameters
3.1 Fill in the required configuration parameters:
Platform Scan Configuration Fields
Field Name | Display Name | Type | Required | Description |
|---|---|---|---|---|
| Bitbucket API Base URL | Single-line text | ❌ No | Only specify this field if self-hosting a Bitbucket Server instance. For http://Bitbucket.com , leave blank (defaults to https://api.bitbucket.org/2.0) |
| Username | Single-line text | ❌ No | Email of the bitbucket user account. Only required when scanning private repositories. |
| API Token | Password field | ❌ No | Required for scanning private repos. |
| Bearer Token | Password field | ❌ No | Required for scanning private repos via Bearer Token auth. |
| Branch | Single-line text | ❌ No | Branch to scan (if not specified, default branch is inferred) |
| Accepted Paths | Multiple values | ✅ Yes | Glob patterns for repositories to include workspace/glob format. Examples:
|
| Excluded Paths | Multiple values | ❌ No | Glob patterns for repositories to exclude from the included set, in the same format as include_paths |
Scan Execution Using API
Scans may be programmatically triggered through REST API calls, enabling seamless integration with CI/CD pipelines, automation workflows, and custom applications. API execution provides flexibility for developers to incorporate cryptographic scanning into their existing development and deployment processes.
Note: For complete API reference, see the API document.
API Access Token
Open your browser and navigate to the AgileSec Platform UI.
Log in with your Keyfactor credentials.
Click "Access Tokens" in the main navigation menu.
Click "Generate Token".
Set Token Type to API Token and provide the required details.
Click "Generate" and copy the generated token.
API Endpoint
POST https://<platform-url>/v3/scan/createRequest Format
Headers
Content-Type: application/json
isg-api-token: <your-api-token>Request Body
The complete request body contains sensor configuration in the sensorConfig field, i.e:
{
"sensorName": "<sensor name>",
"sensorType": "Bitbucket Sensor",
"sensorConfig": {
"url": "<bitbucket api url>",
"username": "<email of the bitbucket account>",
"password": "<API token>",
"token": "<Bearer token>",
"branch": "<branch name>",
"include_paths": "<include patterns>",
"exclude_paths": "<exclude patterns>"
},
"callbackId": "<callback id>",
"labels": [
{
"<label name>": "<label value>"
}
],
"priority": "<priority>",
}API Field Descriptions
See Platform Scan Configuration Fields.
Remote Scan Execution
Remote Execution Flow allows you to run the sensor on a host using the Unified Sensor binary.
Remote Scan Execution Configuration
Step 1: Download Unified Sensor
1.1 Navigate to AgileSec Platform UI → Sensors → Remote Scan.
1.2 Download the sensor binary for your operating system.
Step 2: Generate Remote Sensor Token
2.1 In the Remote Scan UI, click "Generate Token".
2.2 Copy the generated token.
2.3 Store the token securely in an environment variable or set it in the sensor config:
export SENSOR_TOKEN="your-generated-token"Step 3: Create Configuration File
Create a YAML configuration file (e.g., bitbucket-config.yml) with your scan settings. An example configuration can be found in config/sample-configs/bitbucket.yml.
Step 4: Run the Sensor
Execute the sensor with your configuration file:
Linux/macOS
BASH./unified_sensor_linux -c bitbucket-config.ymlWindows (PowerShell)
POWERSHELL.\\unified_sensor_windows.exe -c .\\bitbucket-config.yml
Remote Scan Execution Configuration Examples
Scan All Repos in a Workspace (Public)
YAMLscan_config: plugins: - isg_bitbucket - trigger_discover - export config: isg_bitbucket: name: bitbucket plugin_config: include_paths: - "myorg" # Equivalent to "myorg/**"Bitbucket Enterprise (With Auth)
YAMLscan_config: plugins: - isg_bitbucket - trigger_discover - export config: isg_bitbucket: name: bitbucket plugin_config: url: "<https://api.bitbucket.org/2.0>" username: "<account email>" password: "${env:BITBUCKET_PASS}" # ENV for unified sensor include_paths: - "internal-team" exclude_paths: - "internal-team/archived-*"Scan Specific Branch
YAMLscan_config: plugins: - isg_bitbucket - trigger_discover - export config: isg_bitbucket: name: bitbucket plugin_config: url: "<https://api.bitbucket.org/2.0>" username: "<account email>" password: "${env:BITBUCKET_PASS}" # ENV for unified sensor branch: "develop" include_paths: - "myorg/myrepo"
Known Limitations
Binary Files
Description: While the sensor scans files, opaque binary blobs without recognized headers may not be deeply analyzed.
Troubleshooting
Common Errors
repository not found(404)Cause: The URL is incorrect or the credentials provided do not have access to the private repository.
Fix: Check the URL.
Unauthorized(401)Cause: Invalid credentials.
Fix: Verify the credentials are correct by testing with a manual
git clonecommand.
could not find remote branchCause: The specified branch does not exist on the remote.
Fix: Verify the branch name matches exactly (case-sensitive).
Getting Support
Collect diagnostic information:
Sensor version
Configuration file (redact tokens)
Log output
Bitbucket details (cloud vs enterprise, URL, version)
Contact Support:
Portal: https://support.keyfactor.com