Skip to content

Scan

pipeleek bb scan

Scan BitBucket Pipelines

Synopsis

Create a BitBucket scoped API token here and pass it to the --token flag. The --email flag expects your account's email address. To scan artifacts (uses internal APIs) you need to extract the session cookie value cloud.session.token from bitbucket.org using your browser and supply it in the --cookie flag. A note on artifacts: Bitbucket artifacts are only stored for a limited time and only for paid accounts. Free accounts might not have artifacts available at all.

1
pipeleek bb scan [flags]

Examples

1
2
3
4
5
6
7
8
9
# Scan a workspace (find public ones here: https://bitbucket.org/repo/all/) without artifacts
pipeleek bb scan --token ATATTxxxxxx --email auser@example.com --workspace bitbucketpipelines

# Scan your owned repositories and their artifacts
pipeleek bb scan -t ATATTxxxxxx -c eyJxxxxxxxxxxx --artifacts -e auser@example.com --owned

# Scan all public repositories without their artifacts
> If using --after, the API becomes quite unreliable 👀
pipeleek bb scan --token ATATTxxxxxx --email auser@example.com --public --maxPipelines 5 --after 2025-03-01T15:00:00+00:00

Options

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
      --after string               Filter public repos by a given date in ISO 8601 format: 2025-04-02T15:00:00+02:00 
  -a, --artifacts                  Scan artifacts
  -b, --bitbucket string           BitBucket API base URL (default "https://api.bitbucket.org/2.0")
      --confidence strings         Filter for confidence level, separate by comma if multiple. See readme for more info.
  -c, --cookie string              Bitbucket Cookie [value of cloud.session.token on https://bitbucket.org]
  -e, --email string               Bitbucket Email
  -h, --help                       help for scan
      --hit-timeout duration       Maximum time to wait for hit detection per scan item (e.g., 30s, 2m, 1h) (default 1m0s)
      --max-artifact-size string   Maximum artifact size to scan. Larger files are skipped. Format: https://pkg.go.dev/github.com/docker/go-units#FromHumanSize (default "500Mb")
      --max-pipelines int          Max. number of pipelines to scan per repository (default -1)
  -o, --owned                      Scan only user owned repositories
  -p, --public                     Scan all public repositories
      --threads int                Number of concurrent threads for scanning (default 4)
  -t, --token string               Bitbucket API token - https://id.atlassian.com/manage-profile/security/api-tokens
      --truffle-hog-verification   Enable TruffleHog credential verification to actively test found credentials and only report verified ones (enabled by default, disable with --truffle-hog-verification=false) (default true)
  -w, --workspace string           Workspace name to scan

Options inherited from parent commands

1
2
3
4
5
6
      --color              Enable colored log output (auto-disabled when using --logfile) (default true)
      --ignore-proxy       Ignore HTTP_PROXY environment variable
      --json               Use JSON as log output format
      --log-level string   Set log level globally (debug, info, warn, error). Example: --log-level=warn
  -l, --logfile string     Log output to a file
  -v, --verbose            Enable debug logging (shortcut for --log-level=debug)

SEE ALSO