Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt

Use this file to discover all available pages before exploring further.

Endor Labs provides a Bitbucket App that continuously monitors users’ projects for security and operational risks in Bitbucket Cloud. You can use the Bitbucket App to selectively scan your repositories for SCA, secrets, and SAST. When you use the Endor Labs Bitbucket App, it creates namespaces based on your workspace and projects in Bitbucket Cloud. The namespaces created by the Endor Labs Bitbucket App are not like regular namespaces and are called managed namespaces. You can either configure the URL to Bitbucket Cloud to import all the projects or configure the project key to import a specific project in Endor Labs.
You can use the following characters in Endor Labs namespaces: lowercase letters (a–z), digits (0–9), hyphens (-), and underscores (_). Additionally, the namespace can have a maximum of 64 characters. If the Bitbucket host or your projects have a different naming convention, Endor Labs converts the corresponding namespaces to comply with the naming convention.
See Manage Bitbucket Cloud App to learn how to manage your Bitbucket Cloud App integration in Endor Labs.

Managed namespaces for Bitbucket Cloud

You need to add the Bitbucket Cloud workspace or a project to an Endor Labs namespace. Endor Labs maps Bitbucket Cloud workspace and projects as managed namespaces. Managed namespaces have the following restrictions:
  • You cannot delete managed namespaces.
  • You cannot delete repositories within managed namespaces.
  • You cannot add projects or create namespaces within managed namespaces.
  • You cannot create new Endor Labs App installations within managed namespaces.

Namespace structure when you add a Bitbucket Cloud workspace

When you add a Bitbucket Cloud workspace to an Endor Labs namespace, Endor Labs creates a child namespace for the workspace and creates child namespaces for each project in the workspace under the workspace namespace. The namespaces of the workspace and projects are managed namespaces. You can add multiple Bitbucket Cloud workspaces to the same Endor Labs namespace. Each workspace will have its own managed namespace. If your workspace name is deerinc and you have three projects, buck, doe, and fawn, Endor Labs creates four managed namespaces: deerinc, buck, doe, and fawn. The namespaces buck, doe, and fawn are child namespaces of the deerinc namespace. The following image shows the namespace structure in Endor Labs.

Namespace structure when you add a Bitbucket Cloud project

When you add a Bitbucket Cloud project to an Endor Labs namespace, Endor Labs creates a child namespace for the Bitbucket Cloud project and maps all repositories in that project to this namespace. The child namespace that maps to the Bitbucket Cloud project is a managed namespace. The managed namespace has the name, <workspace name>_<project name>. For example, if your Bitbucket Cloud workspace name is deerinc and project name is doe, the managed namespace will have the name, deerinc_doe. You can add multiple projects to the same Endor Labs namespace. Each project will have its own managed namespace. For example, your workspace name is deerinc, which has three projects, buck,doe, andfawn. You add each project to the Endor Labs namespace, endor-bitbucket. The following image shows the namespace structure in Endor Labs.

Default branch detection

When Endor Labs scans a repository for the first time, it detects the default branch of the repository. The findings that are created in the scan are associated with the default branch.

Changing the default branch

When you change the default branch in your source control system (for example, from main to dev):
  • Endor Labs automatically detects the new default branch and sets that as the default reference
  • The previous default branch becomes a reference branch
  • Scans continue on the new default branch and the reference branch
The findings associated with the previous default branch are no longer associated with the default context reference. You can view them in the reference context.

Renaming the default branch

When you rename the default branch in your source control system:
  • Endor Labs automatically switches to the renamed branch
  • Scans continue without disruption

Adding repository versions

When you add a new repository version (for example, a dev branch), both the default branch and the new version are scanned by the Endor Labs App.

Control default branch detection

You can control the default branch detection by setting the ENDOR_SCAN_TRACK_DEFAULT_BRANCH environment variable in a scan profile. You need to configure the project to use the scan profile. See Configure scan profiles for more information. By default, the environment variable is set to true. When set to true, the default branch detection is enabled, and the first branch you scan is automatically considered as the default branch.

Prerequisites for Bitbucket App for Bitbucket Cloud

Ensure the following prerequisites are in place before you install the Endor Labs Bitbucket App.
  • Bitbucket Cloud instance with workspace and projects
  • A Bitbucket access token either at the workspace level to import a workspace, or the project level to import a project. The token must have at least Project read permission.

Install the Bitbucket Cloud App

  1. Select Projects from the left sidebar.
  2. Click Add Project.
  3. Under Namespace, select the Endor Labs namespace for this installation.
    We recommend you use a child namespace for better organization of your projects.
  4. Select Bitbucket on the Scan your repositories page.
  5. Select Bitbucket Cloud. Bitbucket Cloud App
  6. In Enter credentials, select the authentication method you want to use to connect to Bitbucket Cloud.
    Select the ACCESS TOKEN to connect using an access token.Enter the following details:
    • Host URL: Enter the Bitbucket Cloud workspace URL.
      • To import all projects in a workspace, enter a URL in the form https://bitbucket.org/{workspace}.
      • To import a single project, enter a URL in the form https://bitbucket.org/{workspace}/projects/{project-key}. For example, https://bitbucket.org/endor-labs/projects/lab.
    • Access token: Enter a workspace or project access token.
      Permissions for the access tokenThe access token must have at least the Project:read permission.If you want to scan pull requests, provide an access token with read and write permissions for webhooks and pull requests, and read access for projects. For more information, see Create an access token.
    Select EMAIL and API TOKEN to connect using an Atlassian account email address and API token.Enter the following details:
    • Host URL: Enter the Bitbucket Cloud workspace URL.
      • To import all projects in a workspace, enter a URL in the form https://bitbucket.org/{workspace}.
      • To import a single project, enter a URL in the form https://bitbucket.org/{workspace}/projects/{project-key}. For example, https://bitbucket.org/endor-labs/projects/lab.
    • Email: Enter the Atlassian account email for a user who has access to the Bitbucket workspace or project.
    • API token with scopes: Enter an Atlassian API token with access that allows Endor Labs to read the Bitbucket projects you are importing.
      Permissions for the API tokenThe API token must have at least Project:read and Repository:read permissions.If you want to scan pull requests, provide an API token that includes read access for projects and repositories, along with read and write access for pull requests and read, write, and delete for webhooks. For more information, see Create an API token.
  7. Click Create Bitbucket Cloud Installation.
  8. Select the scan types to enable in Scanners.
    • SCA: Perform software composition analysis and discover AI models used in your repository.
    • Secret: Scan Bitbucket projects for exposed secrets.
    • SAST: Scan Bitbucket projects to generate SAST findings.
    The available scan types depend upon your license. Bitbucket scanner types
  9. Optionally, you can continue to Configure Bitbucket Cloud App PR scans to scan your pull requests. You can also choose to apply PR scans to specific projects rather than for all the projects in the workspace through a scan profile. See Scan profiles for more information. You can also enable PR scans later in the Bitbucket Cloud App integration.
  10. Click Start Scanning Repositories.
Endor Labs Bitbucket Cloud App scans your Bitbucket projects every 24 hours and reports any new findings or changes to release versions of your code.