Skip to content

Bitbucket Integration

Authorize Vygl on Bitbucket Cloud to discover repositories, register webhooks, and post pull-request comments.

  1. Open Settings → Connections in Vygl.

  2. Click Connect Bitbucket. You’re redirected to Bitbucket’s OAuth authorization screen.

  3. Authorize. Approve the requested scopes — repository, pullrequest:write, and webhook.

  4. Pick repositories. Bitbucket redirects back to Vygl. Select the repositories you want scanned and (optionally) configure branch filtering.

Webhooks register automatically. Pushes and pull requests trigger scans.

ScopeWhy
repository (read)Clone the repository for scanning
pullrequest:writePost comments on pull requests, set build status
webhookCreate and manage per-repo scan-trigger webhooks

OAuth tokens are refreshed transparently before expiry.

  1. Bitbucket fires a webhook for the push or PR event. Vygl verifies an HMAC-SHA256 signature over the body using the per-repo webhook secret.
  2. Vygl clones the repository at the new commit.
  3. Scan engines run server-side.
  4. Findings appear in the dashboard, deduplicated against history.
  5. For pull requests, Vygl posts a fresh summary comment (one per scan) and writes build status.

The managed OAuth flow is Bitbucket Cloud only — endpoints, scopes, and API paths are Cloud-specific. To scan code on Bitbucket Server / Data Center, use the CI + Git-token flow: PR-comment posting picks up the Server REST API automatically when the project’s repository URL points to a non-bitbucket.org host.

Teardown has two independent halves — do both for a clean removal:

  • In Vygl — disable a single repository, or disconnect the whole provider, from Settings → Connections. See Managing connected repositories.
  • On Bitbucket — revoke the authorization (Personal settings → App authorizations). Webhook events stop immediately.

Existing scans and findings are retained in Vygl regardless.