> ## Documentation Index > Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt > Use this file to discover all available pages before exploring further. ## Submitting Feedback If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback: POST https://docs.endorlabs.com/feedback ```json { "path": "/setup-deployment/scm-integrations/bitbucket-cloud/bitbucket-cloud-pr-scans/index", "feedback": "Description of the issue" } ``` Only submit feedback when you have something specific and actionable to report. # Bitbucket Cloud App PR scans > Beta
Learn how to enable PR scans using the Bitbucket Cloud App. export const CodeFile = ({src, lang, expandable = true, maxLines = 15}) => { const [content, setContent] = useState(null); const [wrapperLang, setWrapperLang] = useState('text'); const [error, setError] = useState(''); const [copied, setCopied] = useState(false); const [isDark, setIsDark] = useState(false); const [expanded, setExpanded] = useState(false); useEffect(() => { const root = document.documentElement; setIsDark(root.classList.contains('dark')); const observer = new MutationObserver(() => { setIsDark(root.classList.contains('dark')); }); observer.observe(root, { attributes: true, attributeFilter: ['class'] }); return () => { observer.disconnect(); }; }, []); useEffect(() => { if (!src) { setError('No src provided.'); return undefined; } const ac = new AbortController(); fetch(src, { signal: ac.signal }).then(r => { if (!r.ok) throw new Error(r.status + ' ' + r.statusText); return r.json(); }).then(data => { setContent(data.content || ''); if (data.lang) setWrapperLang(data.lang); }).catch(err => { if (err.name !== 'AbortError') { setError('Unable to load ' + src + ': ' + err.message); } }); return () => { ac.abort(); }; }, [src]); const language = lang || wrapperLang || 'text'; const handleCopy = () => { if (!content) return; navigator.clipboard.writeText(content).then(() => { setCopied(true); setTimeout(() => { setCopied(false); }, 2000); }).catch(() => {}); }; const toggleExpand = () => { setExpanded(v => !v); }; const statusBoxStyle = variant => { const base = { padding: '12px 16px', borderRadius: '6px', fontSize: '14px' }; if (variant === 'error') { return { ...base, background: isDark ? '#451a1a' : '#fef2f2', color: isDark ? '#fca5a5' : '#dc2626', border: '1px solid ' + (isDark ? '#7f1d1d' : '#fecaca') }; } return { ...base, background: isDark ? '#1f2937' : '#f5f5f5', color: isDark ? '#9ca3af' : '#6b7280' }; }; const shellStyle = { position: 'relative', borderRadius: '8px', border: '1px solid ' + (isDark ? 'rgba(255,255,255,0.1)' : '#d1d5db'), overflow: 'hidden' }; const copyBtnStyle = { position: 'absolute', top: '8px', right: '8px', padding: '4px 8px', fontSize: '12px', lineHeight: '1', border: '1px solid rgba(255,255,255,0.3)', borderRadius: '4px', background: 'rgba(255,255,255,0.15)', color: '#fff', cursor: 'pointer', zIndex: 2, transition: 'background 0.15s, color 0.15s' }; const renderErrorBox = () =>

{error}

; const renderLoadingBox = () =>

Loading…

; const countLogicalLines = text => { const normalized = text.replace(/\n+$/, ''); if (normalized === '') { return 0; } return normalized.split('\n').length; }; const lineCount = content ? countLogicalLines(content) : 0; const showTruncate = expandable && lineCount >= maxLines && !expanded; const showExpandToggle = expandable && lineCount >= maxLines; const LINE_HEIGHT_PX = 25; const previewMaxHeightPx = maxLines * LINE_HEIGHT_PX; const preStyle = { margin: 0, padding: '16px', overflow: 'auto', maxHeight: showTruncate ? previewMaxHeightPx + 'px' : 'none', overflowY: showTruncate ? 'hidden' : 'auto' }; const toggleLinkStyle = { display: 'block', width: '100%', boxSizing: 'border-box', background: 'none', border: 'none', padding: '8px 16px 12px 16px', cursor: 'pointer', color: '#26D07C', fontSize: '13px', fontFamily: 'inherit', textAlign: 'left' }; const renderLoaded = () =>

        
          {content}

{showExpandToggle ? : null}

; if (error) { return renderErrorBox(); } if (content === null) { return renderLoadingBox(); } return renderLoaded(); }; You can configure PR scans while creating a new Bitbucket Cloud App installation or for existing Bitbucket Cloud App integrations. Endor Labs automatically configures webhooks to scan your pull requests. You can also choose to receive PR comments on your pull requests. After you configure PR comments, Endor Labs posts a comment on the pull request if any issues are detected during the PR scan. See [Bitbucket Cloud PR comments](#bitbucket-cloud-pr-comments) for more information. ## Create an access token To enable PR scans and PR comments, provide an access token with read and write permissions for webhooks and pull requests, and read access for Projects. This access token allows Endor Labs to automatically configure webhooks for PR scanning functionality. To create an access token: 1. [Sign in to Bitbucket Cloud](https://bitbucket.org/) and navigate to your workspace or project. 2. Create a [workspace access token](https://support.atlassian.com/bitbucket-cloud/docs/create-a-workspace-access-token/) or [project access token](https://support.atlassian.com/bitbucket-cloud/docs/create-a-project-access-token/). Ensure that you have a Bitbucket Cloud Premium account to create an access token at the workspace or project level. 3. When creating the access token, select the following permissions: * **Projects**: Read * **Webhooks**: Read and Write * **Pull requests**: Read and Write * **Repository**: Read and Write Bitbucket Cloud workspace or project access token scopes for PR scans and webhooks

Bitbucket Cloud workspace or project access token scopes for PR scans and webhooks

4. Copy the generated access token and store it in a secure location. You need it when configuring the Bitbucket Cloud App integration in Endor Labs. ## Create an API token To enable PR scans and PR comments, provide an Atlassian account email and an [API token](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/) with read and write permissions for pull requests, read, write and delete permissions for webhooks, and read access for projects. This API token allow Endor Labs to automatically configure webhooks for PR scanning functionality. To create an Atlassian API token: 1. Sign in to [Bitbucket Cloud](https://bitbucket.org/) and select **Account settings** from the top right corner. 2. Select **Security**. 3. Click [Create and manage API tokens](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/). 4. When creating an API token, select the following permissions: * **Projects**: Read * **Workspace**: Read * **Repository**: Read * **Pull requests**: Read and Write * **Webhooks**: Read and Write and Delete Atlassian API token scopes for Bitbucket Cloud PR scans and webhooks

Atlassian API token scopes for Bitbucket Cloud PR scans and webhooks

5. Copy the generated API token and store it in a secure location. You need it when configuring the Bitbucket Cloud App integration in Endor Labs. ## Configure PR scans during a Bitbucket Cloud App installation After you complete the initial [installation of the Bitbucket Cloud App](/setup-deployment/scm-integrations/bitbucket-cloud#install-the-bitbucket-cloud-app) in Endor Labs, you can configure PR scans. At this point, the Bitbucket Cloud App will be operational. You can also choose to apply PR scans to specific projects rather than all the projects in the workspace through a scan profile. See [configure PR scans for specific repositories](#configure-pr-scans-for-specific-repositories) for more information. 1. Select **Pull Request Settings** and toggle on **Enable Pull Request scans** to enable automatic scanning of PRs submitted by users. Pull request configurations in Bitbucket Cloud

Pull request configurations in Bitbucket Cloud

2. Optionally, toggle on **Post comments on Pull Requests** to allow Endor Labs to comment on PRs for policy violations. When you enable PR comments, Endor Labs posts a comment on the pull request if any issues are detected during the PR scan. You need to set up action policies in Endor Labs to receive the comments. See [Bitbucket Cloud PR comments](#bitbucket-cloud-pr-comments) for more information. 3. By default, PR scans skip reachability analysis for faster results. Under **Advanced Options**, toggle on **Enable Full scan with reachability** when you want reachability analysis and call graph generation for supported languages. 4. Select **Save PR Settings** to save the configuration. **Webhook Configuration** Endor Labs automatically generates and configures the webhook secret when PR scans are enabled. If you modify or delete the webhook in Bitbucket Cloud, you must delete and create a new Bitbucket Cloud App installation. ## Configure PR scans for existing Bitbucket Cloud integrations You can configure PR scans for existing Bitbucket Cloud integrations or after creating a new Bitbucket Cloud integration. **Permissions for your credentials** Ensure that the credentials have the required permissions for the selected authentication method. Refer to [Create an access token](#create-an-access-token) or [Create an API token](#create-an-api-token) for more information. 1. Select **Integrations** from the left sidebar. 2. Click **Manage** next to **Bitbucket Cloud** under **Source Control Managers**. 3. Click the vertical three dots next to the Bitbucket Cloud integration that you want to update. 4. Select **Edit Integration**. 5. Select **Pull Request Settings**. Edit Bitbucket Cloud PR settings

6. Toggle on **Enable Pull Request Scans** to enable PR scans. 7. Optionally, toggle on **Post comments on Pull Requests** to enable PR comments. Ensure that you complete the PR comments configuration in Endor Labs to receive the comments. See [Bitbucket Cloud PR comments](#bitbucket-cloud-pr-comments) for more information. 8. Click **Save PR Settings** to save the changes. The changes are applied from the next scanning cycle. Click **Rescan Org** after editing the integration to apply changes immediately instead of waiting for the next scheduled scan. ## Configure PR scans for specific repositories You can configure PR scans and PR comments only for specific repositories. If you select the options to configure PR scans in your Bitbucket Cloud App integration, pull requests for all the repositories in your project or workspace are scanned. Instead, you can choose to configure PR scans and PR comments for selected repositories using scan profiles. 1. Enable PR scans and PR comments during the initial [Bitbucket Cloud App installation](#configure-pr-scans-during-a-bitbucket-cloud-app-installation). This ensures that the webhooks are properly configured and recognized by Endor Labs. 2. [Edit the Bitbucket Cloud App integration](/setup-deployment/scm-integrations/bitbucket-cloud/manage-bitbucket-cloud#edit-bitbucket-cloud-app-integration) and disable **Pull Request Scans** and **Pull Request Comments**. This prevents PR scans from running for all repositories in the workspace. 3. Create a [scan profile](/scan/scan-profiles/configure-scanprofile-ui) with **Pull Request Scans** and optionally **Pull Request Comments** enabled under **Developer Workflow**.

4. [Associate the scan profile with the specific repository](/scan/scan-profiles/configure-scanprofile-ui#associate-projects-with-a-scan-profile) where you want PR scans to run. This approach allows you to control which repositories have PR scans enabled while ensuring that the webhook is properly configured during the initial installation. ## Bitbucket Cloud PR comments PR comments are automated comments added to pull requests when Endor Labs detects policy violations or security issues during scans. When a PR is raised or updated, Endor Labs runs scans on the proposed changes and adds a comment if any violations are detected based on the configured action policies. After you enable PR comments, you need to set up an action policy to allow comments to be posted on pull requests. ### Configure action policy for PR comments The action policy that you create triggers the posting of comments on your pull request after a scan is complete. See [Action policy](/platform-administration/policies/action-policies) for more information. You can create multiple action policies based on your requirements, which the PR scan can trigger. If you create action policy with the `Secret` template, you get an inline comment with the line number where the secret is detected. Ensure that you configure the following important settings in the action policy: 1. Choose an appropriate action policy template or create a custom action policy. You can choose an action policy template like [Containers](/platform-administration/policies/action-policies/templates#containers) or create a custom action policy. 2. Under **Action**, select **Enforce Policy**, then choose: * **Warn** to post a comment without breaking the build. * **Break the Build** to fail the build and block the pull request. 3. Define the scope of the policy using tags. Only projects that match the specified tags will receive PR comments. 4. Select **Propagate this policy to all child namespaces** if you want to apply the policy to all child namespaces. ### PR comments template Endor Labs provides a default template for PR comments that you can use out-of-the-box. You can also create custom templates using [Go Templates](https://pkg.go.dev/text/template). The following section shows the default template for PR comments. You can create your custom template by editing the default template and saving the changes. The following specification shows the additional functions that you can use in your custom template. You can access these functions by using their corresponding keys. To edit the default template: 1. Select **Manage** > **Integrations** from the left sidebar. 2. Click **Edit Template** next to **Bitbucket** under **Template for PR Comments**. Bitbucket only supports markdown in PR comments and does not support HTML tags.

3. Update the template with the required changes. 4. Select **Propagate this template to all child namespaces** if you want to apply the template to all child namespaces. 5. Click **Save Template** to save the changes. **Restore the default template** You can restore the default template by clicking **Restore to Default** in the template editor to go back to the initial template. **Action policy propagation in child namespaces** If you select **Propagate this policy to all child namespaces**, and update the policy in the child namespace, the policy in the child namespace takes precedence over the policy in the parent namespace. If you select the propagate option for the child namespace, its child namespaces will also inherit the policy. Since [namespace hierarchy follows the workspace and projects hierarchy of Bitbucket Cloud](/setup-deployment/scm-integrations/bitbucket-cloud#managed-namespaces-for-bitbucket-cloud), you can effectively use this option to control the policy for different levels of your organization. ### PR scan comments in Bitbucket Cloud After you enable PR comments, Endor Labs posts a comment on the pull request if any issues are detected during the PR scan based on the action policies. The following example shows a comment on the pull request as a result of the action policy for identifying leaked secrets. Bitbucket comment example

Click **Link to Finding** to view the details of the finding in Endor Labs. For secrets, Endor Labs also generates a comment with the line number where the secret is detected. Bitbucket secrets comment example

## View PR scan findings When you create a new pull request, the Endor Labs Bitbucket Cloud App scans the pull request. Endor Labs generates findings based on the finding policy. 1. Sign in to Endor Labs and select **Projects** from the left sidebar. 2. Select the project for which you want to view the PR scan findings. 3. Select **PR runs** to view the PR scan findings. View PR scan findings

4. Select the PR for which you want to view the findings. View PR scan findings

5. Click **View Findings** to view the findings on the PR. View PR scan findings in detail

See [View Findings](/inventory-insights/findings) for more information on Findings in Endor Labs.