This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Deploy Endor Labs Bitbucket App in Bitbucket Cloud

Learn how to continuously monitor your environment with the Endor Labs Bitbucket App.

Table of Contents

This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Learn how to continuously monitor your environment with the Endor Labs Bitbucket App.
Beta

Endor Labs provides a Bitbucket App that continuously monitors users’ projects for security and operational risks in Bitbucket Cloud. You can use the Bitbucket App to selectively scan your repositories for SCA, secrets, SAST, and CI/CD tools.

When you use the Endor Labs Bitbucket App, it creates namespaces based on your workspace and projects in Bitbucket Cloud. The namespaces created by the Endor Labs Bitbucket App are not like regular namespaces and are called managed namespaces. You can either configure the URL to Bitbucket Cloud to import all the projects or configure the project key to import a specific project in Endor Labs.

See Manage Bitbucket Cloud App to learn how to manage your Bitbucket Cloud App integration in Endor Labs.

You need to add the Bitbucket Cloud workspace or a project to an Endor Labs namespace. Bitbucket Cloud workspace and projects are mapped as managed namespaces in Endor Labs.

Managed namespaces have the following restrictions:

  • You cannot delete managed namespaces.
  • You cannot delete repositories within managed namespaces.
  • You cannot add projects or create namespaces within managed namespaces.
  • You cannot create new Endor Labs App installations within managed namespaces.

When you add a Bitbucket Cloud workspace to an Endor Labs namespace, Endor Labs creates a child namespace for the Bitbucket Cloud workspace and creates child namespaces for each project in the workspace under the workspace namespace. The namespaces of the workspace and projects are managed namespaces. You can add multiple Bitbucket Cloud workspaces to the same Endor Labs namespace. Each workspace will have its own managed namespace.

If your workspace name is deerinc and you have three projects, buck, doe, and fawn, Endor Labs creates four managed namespaces: deerinc, buck, doe, and fawn. The namespaces buck, doe, and fawn are child namespaces of the deerinc namespace.

The following image shows the namespace structure in Endor Labs.

graph TD

      %% Endor Labs namespace
      EN[endor-bitbucket]

      %% Bitbucket projects
      O1[deerinc]
      P1[buck]
      P2[doe]
      P3[fawn]


      %% connections
      EN --> O1
      O1 --> P1
      O1 --> P2
      O1 --> P3

      class EN,EN2 endor
      class O1,P1,P2,P3 managed
      classDef managed fill:#3FE1F3

When you add a Bitbucket Cloud project to an Endor Labs namespace, Endor Labs creates a child namespace for the Bitbucket Cloud project and maps all repositories in that project to this namespace. The child namespace that maps to the Bitbucket Cloud project is a managed namespace. The managed namespace has the name, <workspace name>_<project name>. For example, if your Bitbucket Cloud workspace name is deerinc and project name is doe, the managed namespace will have the name, deerinc_doe.

You can add multiple projects to the same Endor Labs namespace. Each project will have its own managed namespace. For example, your workspace name is deerinc, which has three projects, buck,doe, andfawn. You add each project to the Endor Labs namespace, endor-bitbucket.

The following image shows the namespace structure in Endor Labs.

graph TD

      %% Endor Labs namespace
      EN[endor-bitbucket]

      %% Bitbucket projects
      A1[deerinc_buck]
      A2[deerinc_doe]
      A3[deerinc_fawn]


      %% connections
      EN --> A1
      EN --> A2
      EN --> A3

      class EN,EN2 endor
      class A1,A2,A3 managed
      classDef managed fill:#3FE1F3

Ensure the following prerequisites are in place before you install the Endor Labs Bitbucket App.

  • Bitbucket Cloud instance with workspace and projects
  • A Bitbucket access token either at the workspace level to import a workspace, or the project level to import a project. The token must have at least Project read permission.

  1. Sign in to Endor Labs and select Projects from the left sidebar.

  2. Click Add Project.

  3. From BITBUCKET, select Bitbucket App, and ensure that Cloud is selected.

    Bitbucket App

  4. Enter the Bitbucket Cloud workspace URL in the format: https://bitbucket.org/{workspace} to import all the projects in the workspace.

    Endor Labs creates namespaces for all projects that are available in the Bitbucket Cloud workspace.

    You can also provide the URL up to a project level to import a specific project: https://bitbucket.org/{workspace}/{project-key}. For example, https://bitbucket.org/endor-labs/lab.

  5. Enter the Bitbucket access token.

    The access token must have at least the Project read permission.

  6. Select the scan types to enable.

    • SCA: Perform software composition analysis and discover AI models used in your repository.
    • Secret: Scan Bitbucket projects for exposed secrets.
    • CI/CD: Scan Bitbucket projects and identify all the CI/CD tools used.
    • SAST: Scan Bitbucket projects to generate SAST findings.

    The available scan types depend upon your license.

  7. Click Create.

Endor Labs Bitbucket App scans your Bitbucket projects every 24 hours and reports any new findings or changes to release versions of your code.

Manage Bitbucket Cloud App on Endor Labs

You can make changes to the Bitbucket Cloud App integrations or delete them. You can view the activity logs for the Bitbucket App and rescan your Bitbucket projects on demand.

  1. Sign in to Endor Labs and select Manage > Integrations from the left sidebar.

  2. Click Manage next to Bitbucket under Source Control Managers.

    Manage Bitbucket App

  3. Click the three vertical dots next to the integration.

    You can choose from the following options:

To edit the Bitbucket App integration:

  1. Click the three vertical dots next to the integration, and select Edit Integration.
  2. You can update your personal access token and choose the scanners. Edit Bitbucket App
  3. Click Save. The changes are applicable from the next scanning cycle.

To delete a Bitbucket App integration, click the three vertical dots next to the integration, and select Delete Integration.

Manage Bitbucket App

When you delete the integration, it will also delete all child namespaces, projects and references associated with the auto-generated root group namespace. It also deletes any manually created namespaces and projects under auto-generated namespace.

Endor Labs detects and reports installation and synchronization errors during organization sync. These include expired tokens, insufficient permissions, invalid host configurations, and certificate issues. Sync logs report those errors that you can resolve.

Sync logs showing error

To view sync logs, click the three vertical dots next to the integration, and select View Sync Logs.

The sync logs display details of synchronization attempts, including timestamps, error types, and diagnostic messages. These logs help identify issues such as authentication failures or configuration problems.

The sync logs detect and display the following categories of sync failures:

  • Expired or invalid Personal Access Tokens (PATs): The PAT used for authentication has expired or is no longer valid. Edit the integration and provide a valid token.
  • Insufficient PAT permissions: The PAT does not have the required scopes, such as repository read access. You must generate and provide a PAT with the correct access.
  • Certificate related access issues: The certificates required to connect to the SCM are invalid, outdated, or untrusted. This error occurs in self-hosted GitLab instances that use custom SSL certificates. Update the certificate configuration or ensure the certificate chain is properly trusted to resolve the issue.
  • Incorrect or invalid host URLs: The configured URL is incorrect or unreachable. Since you cannot edit the host URL, you need to delete and reinstall the integration using the correct URL.

After you resolve the issue, the error is automatically cleared during the next successful scan. You can manually re-trigger the scan using Rescan Org to verify the resolution immediately.

sync logs

Bitbucket App scans your repositories every 24 hours. Click Rescan Org to manually trigger a scan outside the 24-hour period.

Click Scan More Repositories to go to Projects, where you can add more projects to scan through the Bitbucket App.