Scan data for secrets
Bitbucket
6 min
enterprise feature this feature is only available with trufflehog enterprise contact us to learn more {{source}} to bitbucket configuration options web configuration you can configure this integration via the web ui through the integrations tab or you can use a local configuration file as outlined below local configuration bitbucket cloud with pat sources \ connection '@type' type googleapis com/sources bitbucket endpoint https //bitbucket org/myworkspace ignorerepos \ https //bitbucket ourbusiness com/linux kernel/ignore git \ https //bitbucket ourbusiness com/torvalds/ignore2 git skipbinaries true \# bitbucket provides three types of access tokens \# we recommend using the βworkspace access tokenβ \# as it provides access to all projects and repositories token atcttxxxxxxxxxxxxxxxxxxxxxxxxxxxxx name bitbucket cloud token auth scanperiod 12h type source type bitbucket verify true bitbucket cloud with basic auth sources \ connection '@type' type googleapis com/sources bitbucket basicauth \# the password needs to be a bitbucket generated app password \# the password must have read access for both the \# account and repositories tokens cannot be used \# in place of the password for bitbucket cloud password xxxxxxxxxxxxxxxxxxxxxxxxxx username scanner account endpoint https //bitbucket org/myworkspace ignorerepos \ https //bitbucket ourbusiness com/linux kernel/ignore git \ https //bitbucket ourbusiness com/torvalds/ignore2 git skipbinaries true name bitbucket cloud basic auth scanperiod 12h type source type bitbucket verify true bitbucket server/datacenter with basic auth sources \ connection '@type' type googleapis com/sources bitbucket endpoint https //bitbucket ourbusiness com basicauth \# for bitbucket server / datacenter you can \# use a token for the password field password xxxxxxxxxxxxxxxxxxxxxxxxxx username scanner account ignorerepos \ https //bitbucket ourbusiness com/linux kernel/ignore git \ https //bitbucket ourbusiness com/torvalds/ignore2 git name bitbucket server scanperiod 12h type source type bitbucket verify true bitbucket server/data center with oauth sources \ connection '@type' type googleapis com/sources bitbucket endpoint https //bitbucket ourbusiness com oauth refreshtoken \<refresh token you generated with the script> clientid \<generated client id in bitbucket application link> clientsecret \<generated client secret in bitbucket application link> redirecturi \<redirect uri inputted in bitbucket application link> allowsecretsmanagerwrite true oauthauthorizationendpoint https //bitbucket ourbusiness com/rest/oauth2/latest/authorize oauthtokenendpoint https //bitbucket ourbusiness com/rest/oauth2/latest/token oauthscopes \ repo read ignorerepos \ https //bitbucket ourbusiness com/linux kernel/ignore git \ https //bitbucket ourbusiness com/torvalds/ignore2 git name bitbucket server scanperiod 12h type source type bitbucket verify true key description required endpoint the endpoint uri for bitbucket yes if using basic auth or oauth repositories list of repositories to scan leaving it off will enumerate them instead no ignorerepos list of repositories to ignore typically used when using enumeration no skipbinaries if true, binary files will be ignored no skiparchives if true, archive files will be ignored no installationtype set to autodetect , cloud , or data center autodetect is the default; cloud or data center will disable autodetection see "notes" below no allowsecretsmanagerwrite if true, allows trufflehog to overwrite the secret in the user's secrets manager that contains the trufflehog config used to keep refresh token in config up to date for on prem oauth if the config is pulled from a secrets manager currently compatible only with aws secrets manager aws required permissions secretsmanager\ putsecretvalue no oauthauthorizationendpoint endpoint bitbucket data center uses to give oauth autorization codes yes if using oauth oauthtokenendpoint endpoint bitbucket data center uses to give oauth access/refresh tokens yes if using oauth oauthscopes list for access token scopes should generally be repo read only yes if using oauth notes for bitbucket data center local configuration oauth you will need to have admin access to your bitbucket data center in order to create an external incoming application link for trufflehog to use the redirect url is any trusted url you have access to the permissions given to trufflehog need to include repository read access the refresh token needed for the trufflehog configuration in the oauth field can be gotten by this script using the a flag #!/bin/bash \# replace these with your oauth consumer details client id="\<generated client id in bitbucket application link>" client secret="\<generated client secret in bitbucket application link>" redirect uri="\<redirect uri inputted in bitbucket application link>" auth url="https //bitbucket ourbusiness com/rest/oauth2/latest/authorize" token url="https //bitbucket ourbusiness com/rest/oauth2/latest/token" scopes="repo read" \# function to authorize access and get access token for the first time oauth access token() { 	echo "step 1 open the following url in your browser and authorize access " 	echo "" 	echo "${auth url}?client id=${client id}\&response type=code\&scope=${scopes}\&redirect uri=${redirect uri}" 	echo "" 	echo "after authorizing, you will be redirected to ${redirect uri}?code=your auth code" 	echo "copy the 'code' from the url and enter it below " 	\# user inputs the authorization code 	read p "enter the authorization code " auth code 	\# step 2 exchange the authorization code for an access token 	echo "requesting access token " 	response=$(curl request post url \\ 	 "${token url}?client id=${client id}\&client secret=${client secret}\&code=${auth code}\&grant type=authorization code\&redirect uri=${redirect uri}" \\ 	 \ header 'content type application/x www form urlencoded' ) echo $response 	\# extract the access token 	access token=$(echo $response | grep o '"access token" "\[^"] ' | cut d'"' f4) 	refresh token=$(echo $response | grep o '"refresh token" "\[^"] ' | cut d'"' f4) 	if \[\[ z "$access token" ]]; then 	 echo "failed to retrieve access token response $response" 	 exit 1 	fi 	echo "oauth token generated successfully!" 	echo "access token $access token" 	echo "refresh token $refresh token" } \# function to generate access tokens using refresh tokens oauth refresh token() { 	\# user inputs the refresh token 	read p "enter the refresh token " refresh token 	\# step 1 run the refresh token api 	echo "requesting access token " 	response=$(curl request post url \\ 	 "${token url}?client id=${client id}\&client secret=${client secret}\&refresh token=${refresh token}\&grant type=refresh token\&redirect uri=${redirect uri}" \\ 	 \ header 'content type application/x www form urlencoded' ) echo $response 	 \# extract the access token 	 access token=$(echo $response | grep o '"access token" "\[^"] ' | cut d'"' f4) 	 refresh token=$(echo $response | grep o '"refresh token" "\[^"] ' | cut d'"' f4) 	 if \[\[ z "$access token" ]]; then 	 echo "failed to retrieve access token response $response" 	 exit 1 	 fi 	 echo "oauth token generated successfully!" 	 echo "access token $access token" 	 echo "refresh token $refresh token" } \# check input arguments if \[\[ $# eq 0 ]]; then echo "usage $0 a | b" echo "where a authorise and generate oauth token and b use refresh token to get new access token" exit 1 fi \# process options while getopts "ab" opt; do case $opt in a) oauth access token ;; b) oauth refresh token ;; ) echo "invalid option $optarg"; exit 1 ;; esac done capabilities feature supported scan archive files β
scan archived repos β
scan base64 encoded data β
scan binaries β
exclude filter β
history β
include filter β
pre commit β
pre receive β
resumption β
notes trufflehog doesn't scan diffs larger than 1 gb by default, trufflehog will attempt to automatically detect whether you are attempting to connect to bitbucket cloud or bitbucket data center in rare cases, this autodetection logic can cause errors when trying to connect to bitbucket data center you can disable autodetection by setting the installationtype configuration property to either cloud or data center there is presently an known issue where, when you attempt to clone multiple refs that cannot coexist on disk at the same time, an error is thrown here is an anonymized example of this error thrown in github, but it would look similar in bitbucket "could not clone repo https //git xxxxx com/xxxxx/thog git, error executing git clone exit status 128, fatal cannot process 'refs/remotes/origin/release/21 22/test' and 'refs/remotes/origin/release/21 22' at the same time\n" this happens with some particular ref configurations that are not common in repositories, but occasionally exist when it is thrown, we will skip over the repo causing this error and begin scanning the next one there are workarounds that can be implemented that can attempt to scan the repos that throw this error but they have 2 potential limitations first, they may not be able to scan the entire repo second, they may require a manual step to run the scan if you would like assistance establishing a workaround, please open a bug report here report a bug