Scan
pipeleak bb scan
Scan BitBucket Pipelines
Synopsis
To scan artifacts internal APIs are called. Thus you need to extract the session cookie value cloud.session.token from https://bitbucket.org using your browser and supply it in the -c flag.
Examples
| # Scan your owned repositories and their artifacts
pipeleak bb scan -t xxxxxxxxxxx -c eyJxxxxxxxxxxx -u auser --owned --artifacts
# Scan a workspace (find public ones here: https://bitbucket.org/repo/all/) without artifacts
pipeleak bb scan --token xxxxxxxxxxx --username auser --workspace bitbucketpipelines
# Scan all public repositories without their artifacts
> If using --after, the API becomes quite unreliable 👀
pipeleak bb scan --token xxxxxxxxxxx --username auser --public --maxPipelines 5 --after 2025-03-01T15:00:00+00:00
|
Options
| --after string Filter public repos by a given date in ISO 8601 format: 2025-04-02T15:00:00+02:00
-a, --artifacts Scan workflow artifacts
--confidence strings Filter for confidence level, separate by comma if multiple. See readme for more info.
-c, --cookie string Bitbucket Cookie [value of cloud.session.token on https://bitbucket.org]
-h, --help help for scan
--maxPipelines int Max. number of pipelines to scan per repository (default -1)
-o, --owned Scan user onwed projects only
-p, --public Scan all public repositories
--threads int Nr of threads used to scan (default 4)
-t, --token string Bitbucket Application Password - https://bitbucket.org/account/settings/app-passwords/
--truffleHogVerification Enable the TruffleHog credential verification, will actively test the found credentials and only report those. Disable with --truffleHogVerification=false (default true)
-u, --username string Bitbucket Username
-v, --verbose Verbose logging
-w, --workspace string Workspace name to scan
|
Options inherited from parent commands
| --coloredLog Output the human-readable log in color (default true)
--json Use JSON as log output format
-l, --logfile string Log output to a file
|
SEE ALSO