credentialscanner is a plugin for Bitbucket server that aims to protect
against accidentally publishing security credentials such as private keys to
credentialscanner installs a
which scans incoming changes for credentials. Since
pre-receive hooks run
before changes are written to git, it can effectively veto a
The scan itself involves checking the diff to the previous commit for lines added that match a list of patterns.
git pushfor credentials, if suspect credentials found, fail the
credentialscanner detects credentials based on patterns. There will always be
credentials patterns that it is either not aware of or not able to accurately
detect without a lot of false positives. See
accuracy for an in depth discussion of these
Users can easily bypass the detection patterns to force storage of real
credentials (eg by splitting up text) and while doing so will be somewhat
obvious from such contributions, credentials would still have been published. It
is not the intention of
credentialscanner to prevent this kind of behaviour
which would be almost impossible to stop without revoking
git push access
credentialscanner provides Redress Tickets as a
way to capture discussions around why exceptions are required or how a false
alarm should be dealt with.
credentialscanner identifies credentials based on matching changes against a
set of rules (ruleset) which describe:
When a search pattern matches a file of interest,
credentialscanner reports a
credential has been detected.
credentialscanner identifies a commit that looks like a credential or a
bulk import, it will refuse the commit unless a
ticket in Jira specifically authorises it.
These Jira tickets are referred to as Redress Tickets.
Redress Tickets capture the reasons
credentialscanner was ignored and any
discussions around them, eg:
The value of the
resolution field is used to make the final decision around
accepting or rejecting changes, as explained below.