> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Deploy Endor Labs Bitbucket App in Bitbucket Data Center
> Learn how to continuously monitor your environment with the Endor Labs Bitbucket App.
export const Diagram = ({children}) => {
const [svg, setSvg] = useState('');
const [error, setError] = useState(null);
const [mounted, setMounted] = useState(false);
const [id] = useState(() => `diagram-${Math.random().toString(36).slice(2)}`);
const DEFAULTS = {
theme: 'base',
fontSize: '14px',
fontFamily: 'inherit',
primaryColor: '#26D07C',
primaryTextColor: '#000000',
primaryBorderColor: '#059669',
secondaryColor: '#e5e7eb',
secondaryTextColor: '#000000',
secondaryBorderColor: '#9ca3af',
tertiaryColor: '#e5e7eb',
tertiaryTextColor: '#000000',
tertiaryBorderColor: '#9ca3af',
lineColor: '#6b7280',
background: '#ffffff',
edgeLabelBackground: '#f9fafb',
clusterBkg: '#f0fdf4',
clusterBorder: '#059669',
nodeTextColor: '#000000',
endorColor: '#26D07C',
endorBorder: '#059669',
managedColor: '#A7F3D0',
managedBorder: '#059669',
externalColor: '#e5e7eb',
externalBorder: '#9ca3af'
};
const VAR_LINE_RE = /^(\w+):\s*(.+)$/;
const TOKEN_RE = /\{\{(\w+)\}\}/g;
const parseVarsBlock = raw => {
const vars = {};
const lines = raw.trim().split('\n');
const diagramLines = [];
let inVars = false;
for (const line of lines) {
const trimmed = line.trim();
if (trimmed === '%%vars') {
inVars = true;
continue;
}
if (inVars && trimmed === '%%') {
inVars = false;
continue;
}
if (inVars) {
const m = VAR_LINE_RE.exec(trimmed);
if (m) vars[m[1]] = m[2];
} else {
diagramLines.push(line);
}
}
return {
vars,
diagramLines
};
};
const buildInitConfig = merged => ({
theme: merged.theme,
themeVariables: {
fontSize: merged.fontSize,
fontFamily: merged.fontFamily,
primaryColor: merged.primaryColor,
primaryTextColor: merged.primaryTextColor,
primaryBorderColor: merged.primaryBorderColor,
secondaryColor: merged.secondaryColor,
secondaryTextColor: merged.secondaryTextColor,
secondaryBorderColor: merged.secondaryBorderColor,
tertiaryColor: merged.tertiaryColor,
tertiaryTextColor: merged.tertiaryTextColor,
tertiaryBorderColor: merged.tertiaryBorderColor,
lineColor: merged.lineColor,
background: merged.background,
edgeLabelBackground: merged.edgeLabelBackground,
clusterBkg: merged.clusterBkg,
clusterBorder: merged.clusterBorder,
nodeTextColor: merged.nodeTextColor
}
});
const renderWithMermaid = (mermaid, fullDiagram) => {
mermaid.initialize({
startOnLoad: false,
zoom: {
enabled: false
}
});
mermaid.render(id, fullDiagram).then(({svg: rendered}) => {
setSvg(rendered);
setError(null);
}).catch(err => setError(err.message));
};
useEffect(() => {
setMounted(true);
}, []);
useEffect(() => {
if (!mounted || !children) return;
const raw = typeof children === 'string' ? children : String(children);
const {vars, diagramLines} = parseVarsBlock(raw);
const merged = {
...DEFAULTS,
...vars
};
const diagram = diagramLines.join('\n').trim().replaceAll(TOKEN_RE, (_, key) => merged[key] || '');
const fullDiagram = `%%{init: ${JSON.stringify(buildInitConfig(merged))}}%%\n${diagram}`;
const existing = document.getElementById(id);
if (existing) existing.remove();
if (globalThis.mermaid) {
renderWithMermaid(globalThis.mermaid, fullDiagram);
} else {
const script = document.createElement('script');
script.src = 'https://cdn.jsdelivr.net/npm/mermaid@11/dist/mermaid.min.js';
script.onload = () => renderWithMermaid(globalThis.mermaid, fullDiagram);
script.onerror = () => setError('Failed to load Mermaid');
document.head.appendChild(script);
}
}, [mounted, children, id]);
if (!mounted) return null;
if (error) {
return
Diagram error: {error}
;
}
if (!svg) {
return
Loading diagram...
;
}
return ;
};
Endor Labs provides a Bitbucket App that continuously monitors users' projects for security and operational risks in Bitbucket Data Center. You can use the Bitbucket App to selectively scan your repositories for SCA, secrets, and SAST.
When you use the Endor Labs Bitbucket App, it creates namespaces based on your projects in Bitbucket Data Center. The namespaces created by the Endor Labs Bitbucket App are managed namespaces and not regular namespaces. You can either configure the URL to Bitbucket Data Center to import all the projects or configure the project key to import a specific project in Endor Labs.
You can use the following characters in Endor Labs namespaces: lowercase letters (a–z), digits (0–9), hyphens (-), and underscores (\_). Additionally, the namespace can have a maximum of 64 characters. If the Bitbucket host or your projects have a different naming convention, Endor Labs converts the corresponding namespaces to comply with the naming convention.
See [Manage Bitbucket Data Center App](/setup-deployment/scm-integrations/bitbucket-datacenter-app/manage-bitbucket-datacenter-app) to learn how to manage your Bitbucket Data Center App integration in Endor Labs.
## Managed namespaces for Bitbucket Data Center
You need to add the Bitbucket Data Center host or a project to an Endor Labs namespace. Endor Labs maps the Bitbucket host and projects as managed namespaces.
Managed namespaces have the following restrictions:
* You cannot delete managed namespaces.
* You cannot delete repositories within managed namespaces.
* You cannot add projects or create namespaces within managed namespaces.
* You cannot create new Endor Labs App installations within managed namespaces.
### Namespace structure when you add a Bitbucket Data Center host
When you add a Bitbucket Data Center host to an Endor Labs namespace, Endor Labs creates a child namespace for the Bitbucket host and creates child namespaces for each project in the host under the host namespace. The namespaces of the host and projects are managed namespaces. If there are periods (`.`) in the Bitbucket Data Center hostname, it is converted to a hyphen (`-`). You can add multiple Bitbucket Data Center hosts to the same Endor Labs namespace. Each host will have its own managed namespace.
If your host name is `bitbucket.deerinc.com` and you have three projects, `buck`, `doe`, and `fawn`, Endor Labs creates four managed namespaces: `bitbucket-deerinc-com`, `buck`, `doe`, and `fawn`. The namespaces `buck`, `doe`, and `fawn` are child namespaces of the `bitbucket-deerinc-com` namespace.
The following image shows the namespace structure in Endor Labs.
{`
graph TD
%% Endor Labs namespace
EN[endor-bitbucket]
%% Bitbucket projects
O1[bitbucket-deerinc-com]
P1[buck]
P2[doe]
P3[fawn]
%% connections
EN --> O1
O1 --> P1
O1 --> P2
O1 --> P3
class EN,EN2 endor
class O1,P1,P2,P3 managed
classDef managed fill:#5EEAD4
`}
### Namespace structure when you add a Bitbucket Data Center project
When you add a Bitbucket Data Center project to an Endor Labs namespace, Endor Labs creates a child namespace for the Bitbucket Data Center project and maps all repositories in that project to this namespace. The child namespace that maps to the Bitbucket Data Center project is a managed namespace. The managed namespace has the name, `_`. For example, if your Bitbucket hostname is `bitbucket.deerinc.com` and project name is `doe`, the managed namespace will have the name, `bitbucket-deerinc-com_doe`.
You can add multiple projects to the same Endor Labs namespace. Each project will have its own managed namespace. For example, your hostname is `bitbucket.deerinc.com`, which has three projects, `buck`, `doe`, and `fawn`. You add each project to the Endor Labs namespace, `endor-bitbucket`.
The following image shows the namespace structure in Endor Labs.
{`
graph TD
%% Endor Labs namespace
EN[endor-bitbucket]
%% Bitbucket projects
A1[bitbucket-deerinc-com_buck]
A2[bitbucket-deerinc-com_doe]
A3[bitbucket-deerinc-com_fawn]
%% connections
EN --> A1
EN --> A2
EN --> A3
class EN,EN2 endor
class A1,A2,A3 managed
classDef managed fill:#5EEAD4
`}
## Default branch detection
When Endor Labs scans a repository for the first time, it detects the default branch of the repository. The findings that are created in the scan are associated with the default branch.
### Changing the default branch
When you change the default branch in your source control system (for example, from `main` to `dev`):
* Endor Labs automatically detects the new default branch and sets that as the default reference
* The previous default branch becomes a reference branch
* Scans continue on the new default branch and the reference branch
The findings associated with the previous default branch are no longer associated with the default context reference. You can view them in the reference context.
### Renaming the default branch
When you rename the default branch in your source control system:
* Endor Labs automatically switches to the renamed branch
* Scans continue without disruption
### Adding repository versions
When you add a new repository version (for example, a `dev` branch), both the default branch and the new version are scanned by the Endor Labs App.
### Control default branch detection
You can control the default branch detection by setting the `ENDOR_SCAN_TRACK_DEFAULT_BRANCH` environment variable in a scan profile. You need to configure the project to use the scan profile. See [Configure scan profiles](/scan/scan-profiles) for more information.
By default, the environment variable is set to `true`. When set to `true`, the default branch detection is enabled, and the first branch you scan is automatically considered as the default branch.
## Prerequisites for Bitbucket Data Center App
Ensure the following prerequisites are in place before you install the Endor Labs Bitbucket App.
* A publicly accessible Bitbucket Data Center host set up with HTTPS.
* A [Bitbucket HTTP access token](https://confluence.atlassian.com/bitbucketserver/http-access-tokens-939515499.html) with at least `Project read` permission at the project level.
* If your Bitbucket Data Center instance is self-hosted behind a firewall with ingress restrictions, you must configure your firewall to allow inbound connections from Endor Labs. See [Firewall & Proxy Rules](/best-practices/troubleshooting/firewall-rules#ingress-rules-for-restricted-environments) for detailed guidance on configuring firewall access.
**Admin Authorization Role**
Only users with admin authorization role in Endor Labs can create and manage installations. See [Authorization roles](/platform-administration/rbac/authorization-roles) for more information.
## Install the Bitbucket Data Center App
1. Select **Projects** from the left sidebar.
2. Click **Add Project**.
3. Under **Namespace**, select the Endor Labs namespace for this installation.
We recommend you use a [child namespace](/platform-administration/namespaces) for better organization of your projects.
4. Select **Bitbucket** on the **Scan your repositories** page.
5. Select **Bitbucket Data Center**.
6. Enter the Bitbucket hostname URL.
* To import all the projects, provide the base Bitbucket Data Center URL in the format `https://`.
* To import a specific project, provide the project URL in the format `https:///projects/{project-key}`. For example, `https://bitbucket.company.com/projects/LAB`.
Endor Labs creates namespaces for all projects that are available in the Bitbucket Data Center host.
7. Enter the Bitbucket Data Center HTTP access token.
**Permissions for the HTTP access token**
The HTTP access token must have at least the read permission for Projects.
If you want to scan pull requests, the HTTP access token must have at least write permission for Repositories and read permission for Projects. For more information, see [Create an HTTP access token](/setup-deployment/scm-integrations/bitbucket-datacenter-app/bitbucket-datacenter-pr-scans#create-an-http-access-token).
8. Click **Create Bitbucket Data Center Installation**.
9. Select the scan types to enable in **Scanners**.
* **SCA**: Perform software composition analysis and discover AI models used in your repository.
* **Secret**: Scan Bitbucket projects for exposed secrets.
* **SAST**: Scan Bitbucket projects to generate SAST findings.
The available scan types depend upon your license.
10. Select **Include Archived Repositories** to scan your archived repositories.
By default, the Bitbucket archived repositories aren't scanned.
11. Optionally, you can continue to [Configure Bitbucket Data Center App PR scans](/setup-deployment/scm-integrations/bitbucket-datacenter-app/bitbucket-datacenter-pr-scans) to scan your pull requests.
Configure a scan profile to apply PR scans for specific repositories rather than all repositories in your Bitbucket project. See [Configure PR scans for specific repositories](/setup-deployment/scm-integrations/bitbucket-datacenter-app/bitbucket-datacenter-pr-scans/#configure-pr-scans-for-specific-repositories) for more information.
You can also enable PR scans later in the [Bitbucket Data Center App integration](/setup-deployment/scm-integrations/bitbucket-datacenter-app/bitbucket-datacenter-pr-scans#configure-pr-scans-for-existing-bitbucket-data-center-integrations).
12. Click **Start Scanning Repositories**.
Endor Labs Bitbucket Data Center App scans your Bitbucket projects every 24 hours and reports any new findings or changes to release versions of your code.