Bitbucket Integration
CodeStax integrates with Bitbucket Cloud for repository scanning, PR reviews, and automated security checks.
Connecting Bitbucket
During Signup
Click Continue with Bitbucket on the signup page. This authorizes CodeStax and connects your Bitbucket account automatically.
After Signup
- Go to Settings on the dashboard
- Click Connect Bitbucket
- Authorize CodeStax in the Bitbucket OAuth consent screen
Permissions
CodeStax requests standard Bitbucket OAuth scopes for repository access, profile information, and notifications.
Features
Repository Import
Import repositories from any Bitbucket workspace you have access to. CodeStax shows all available repositories with search and multi-select.
PR Reviews
Bitbucket webhook integration triggers automatic security reviews on pull requests:
- Analyzes diff for vulnerabilities
- Assigns risk score
- Records findings
Token Refresh
Bitbucket OAuth tokens expire regularly. CodeStax automatically refreshes tokens so your scans and reviews continue working without manual intervention.
Supported Bitbucket Features
| Feature | Status |
|---|---|
| Repository import | Supported |
| Private repo scanning | Supported |
| PR reviews | Supported |
| Auto-scan on push | Supported |
| Webhook integration | Supported |
| Bitbucket Server (self-hosted) | Coming soon |
| Quality-Gate Code Insights | Supported |
| Quality-Gate PR comment (upsert) | Supported |
Quality-Gate Code Insights
When a quality gate is configured + Bitbucket Connect is installed, every completed scan posts a Code Insights report on the scanned commit. Visible in the Bitbucket commit view + PR overview.
- Report key:
codestax-quality-gate - Result mapping:
| Gate status | Code Insights result |
|---|---|
| passed | PASSED ✓ |
| failed + block-merge ON | FAILED ✗ |
| failed + block-merge OFF (monitor mode) | PASSED (visible, non-blocking) |
| not_configured | PASSED (empty) |
Bitbucket Code Insights doesn’t have “neutral”/“skipped” — PASSED is our non-blocking fallback. Use block-merge-on-fail to get FAILED when you want hard enforcement.
Making the Check Required
In Bitbucket Repository Settings → Branch restrictions, add a “Require successful builds” rule referencing the codestax-quality-gate report key.
Quality-Gate PR Comment
Alongside Code Insights, a top-level PR comment is upserted with violations + fix hints. Same marker-based upsert as the GitHub integration — one comment per PR, re-scans update in place, no timeline spam.
Disable with SCANNER_PR_COMMENT_ENABLED=0 on the scanner server.