Arnica Documentation
  • Introduction
  • Getting Started
    • 🔑Sign Up
    • ▶️SCM Integrations
      • Azure DevOps
      • Bitbucket Cloud
      • Bitbucket Server & Datacenter
      • Github
        • GitHub Audit Logs
        • Github App Permissions
      • Gitlab
    • 📤ChatOps
      • Microsoft Teams
      • Slack
        • Adding Arnica to a New Channel
        • Interacting With the Arnica Slackbot
    • 🎫Ticket Management
      • 🐛Jira Integration
      • 📋ADO Boards Integration
    • 🧠Artificial Intelligence
      • Azure OpenAI
      • OpenAI ChatGPT
    • 🏨On Premise Integrations
  • Inventory
    • 💼Identities, Repositories & Organizations
    • 📇Software Bill of Materials (SBOM)
    • 🦄Prioritization & Product Ownership
  • Hardcoded Secrets
    • 🕵️Secret Detection
    • ⏪Realtime Secret Mitigation
    • 🥕Secrets Policy Settings
  • Code Risks
    • 🎼Static Application Security Testing (SAST)
      • Custom SAST Rules
    • 🧩Software Composition Analysis (SCA)
    • 🔡3rd Party Package Licenses
      • Override License Classifications
    • 🤹3rd Party Package Reputation
      • Identifying Low Rep Packages
      • How to Find Alternative Packages
    • ⛅Infrastructure as Code Security (IaC)
    • 🤖Code Risk Policy Settings
      • Developer Feedback On Push
      • Require Review Before Dismissal
      • 0 New High Severity Vulnerabilities
      • Enforce Remediation SLA
    • 🪄Code Risk Magic Links
    • 📦Code Risk Language and Framework Support
  • Platform Operations
    • 🚪Joining an Existing Org
    • ❌Deleting a Tenant
    • 🫂How do I invite members to my tenant?
      • New User Invitations
    • 👥Users & Roles
    • 🔇Deleting Integrations
    • ⌛Scheduled Jobs
      • How often do Jobs run?
    • 💸Billing
  • Security
    • 🎮Role Based Access Control (RBAC)
    • 🛡️Data Handling
    • 🏛️SSO Integration
      • Okta Integration
      • Entra ID Integration
Powered by GitBook
On this page
  • Overview
  • Ensure service account continuity
  • Create a dedicated application user
  • Prerequisites
  • IP allowlist
  • Grant permissions to application user
  • Installation process
  • Generate an app password
  • Integrate
  • FAQ

Was this helpful?

  1. Getting Started
  2. SCM Integrations

Bitbucket Cloud

PreviousAzure DevOpsNextBitbucket Server & Datacenter

Last updated 6 months ago

Was this helpful?

Overview

Arnica Integrates directly with your Bitbucket Cloud application to help secure the development environment while identifying risks in real time - alerting your team and assisting with remediation actions. Arnica's integration is configurable allowing org-level provisioning or access to specified projects to extract the and take remediation actions.

Ensure service account continuity

Create a dedicated application user

Arnica's Bitbucket integration leverages a Bitbucket generated app password tied to a specified user. To avoid the revocation of this token upon the impersonated user's departure, it is highly recommended to create and integrate using a standard application user.

The created user will be visible to all developers as part of Arnica's interactions, such as comments on merge requests. Hence, it is recommended to name the service account properly, such as arnica-service-account

Prerequisites

IP allowlist

In some cases, customers may use IP allowlist to restrict which source IP addresses can access a specific workspace. To validate this functionality, navigate to https://bitbucket.org/[WORKSPACE_NAME]/workspace/settings/access-controls and check the IP allowlisting configuration.

If this configuration is enabled, add Arnica's IP addresses, as documented in the section of the on Premise integrations page.

Grant permissions to application user

  1. Login to the Bitbucket Cloud workspace

  2. Navigate to the User Groups page located in https://bitbucket.org/[YOUR_WORKSPACE]/workspace/settings/groups

  3. Click on the Administrators group and add the dedicated application security user to this group.

The following step will reduce the scope of the token to least privileges. This means that while the user will be assigned with administrator privileges, the token's privilege's will include a reduced scope.

If your environment is comprised of multiple workspaces, repeat the steps above for each workspace with the same user.

Installation process

Generate an app password

  2. Click on Create App Password and assign the following permissions to the token:

  1. Click on Create

  2. Copy the credentials into a temporary place to use them later in the integration

Integrate

  2. Fill in the username (not email) and the app password from the step above.

  3. Click on Validate to ensure that the credentials work properly and then click on OK.

The username used to complete the integration should be the Bitbucket username (not the account email) of the user or application user that created the app password.

Arnica will integrate with all workspaces associated with this user. Arnica's default policies include scan-only functionality. While scanning will begin immediately, developers will not see any impact until Arnica's polices are updated to take actions.

FAQ

Login with the application user and navigate to the .

Navigate to the in Arnica and click on Bitbucket Cloud.

Q: Why does the service account need to have administrative permissions? A: While the service account is granted with administrative permissions, the that is used by Arnica has least privileges. It was designed this way to maintain access to required admin-only permissions without exposing the token to full admin rights.

▶️
app passwords page
Integrations page
app token
necessary data
Ingress traffic
Required app permissions to integrate with Arnica