Bitbucket Cloud
Arnica’s Bitbucket Cloud integration accesses selected environments to extract the necessary data and take remediation actions.
Arnica's Bitbucket integration leverages a Bitbucket generated app password tied to a specified user. To avoid the revocation of this token upon the impersonated user's departure, it is highly recommended to create and integrate using a standard application user.
The created user will be visible to all developers as part of Arnica's interactions, such as comments on merge requests. Hence, it is recommended to name the service account properly, such as
arnica-service-account
In some cases, customers may use IP allowlist to restrict which source IP addresses can access a specific workspace. To validate this functionality, navigate to
https://bitbucket.org/[WORKSPACE_NAME]/workspace/settings/access-controls
and check the IP allowlisting
configuration.If this configuration is enabled, add Arnica's IP addresses, as documented in the Ingress trafficsection of the on Premise integrations page.
- 1.Login to the Bitbucket Cloud workspace
- 2.Navigate to the
User Groups
page located inhttps://bitbucket.org/[YOUR_WORKSPACE]/workspace/settings/groups
- 3.Click on the
Administrators
group and add the dedicated application security user to this group.
The following step will reduce the scope of the token to least privileges. This means that while the user will be assigned with administrator privileges, the token's privilege's will include a reduced scope.
If your environment is comprised of multiple workspaces, repeat the steps above for each workspace with the same user.
- 1.
- 2.Click on
Create App Password
and assign the following permissions to the token:

Required app permissions to integrate with Arnica
- 3.Click on
Create
- 4.Copy the credentials into a temporary place to use them later in the integration
- 1.
- 2.Fill in the username (not email) and the app password from the step above.
- 3.Click on
Validate
to ensure that the credentials work properly and then click onOK
.
The username used to complete the integration should be the Bitbucket username (not the account email) of the user or application user that created the app password.
Arnica will integrate with all workspaces associated with this user. Arnica's default policies include scan-only functionality. While scanning will begin immediately, developers will not see any impact until Arnica's polices are updated to take actions.
Q: Why the service account needs to have administrative permissions?
A: While the service account is granted with administrative permissions, the app token that is used by Arnica has least privileges. It was designed this way to maintain
Last modified 1mo ago