Overview
The Bitbucket integration monitors your workspace repositories, branch restrictions, member access, and pipeline configurations. LowerPlane uses read-only access and does not access source code contents.Authentication
Bitbucket uses OAuth 2.0 for authentication. When you connect, you’ll be redirected to Bitbucket to authorize LowerPlane.Required Permissions (OAuth Scopes)
| Scope | What It Grants | Why LowerPlane Needs It |
|---|---|---|
account | Read user and workspace info | List workspace members and identify the connecting user |
repository | Read repository metadata | Read repository list, branch restrictions, and settings. This is read-only — no code access. |
pullrequest | Read pull requests | Read pull request counts and review status for compliance checks |
webhook | Manage webhooks | Register webhooks for change event notifications |
pipeline | Read pipeline status | Check if Pipelines are enabled and read build/CI status |
The
repository:admin scope is intentionally excluded. LowerPlane does not need administrative access to your repositories. The repository scope provides read-only metadata access.What LowerPlane Collects
Repository Metadata
Name, visibility, language, default branch, open PR count
Branch Restrictions
Required approvals, push restrictions, force push prevention
Workspace Members
Member list for access reviews and offboarding checks
Pipeline Status
Pipeline enablement and build status for CI/CD compliance
Security Tests
LowerPlane runs 8 tests against your Bitbucket workspace:| Test | Severity | Applies To |
|---|---|---|
| Code repo should be classified | Critical | Each repository |
| Bitbucket user should have MFA enabled | Critical | Each member (manual) |
| Bitbucket workspace level MFA should be enforced | Critical | Workspace (manual) |
| Merging of code changes should require passing status-checks | High | Each repository |
| Code changes should be reviewed by peers before merging | High | Each repository |
| Branch Protection rules should be enforced | High | Each repository |
| Bitbucket access should be removed for offboarded user | Critical | Each member |
| Bitbucket Pipelines should be enabled for vulnerability scanning | Medium | Each repository (disabled) |
MFA Tests (Manual Evidence Required)
Bitbucket’s public API does not expose per-user 2FA status or workspace-level two-step verification policy. The MFA tests are configured as manual evidence-upload tests.Open Atlassian Admin Console
Go to admin.atlassian.com and select your organization.
Take a Screenshot
Capture a screenshot showing the 2SV report for all workspace members, or the authentication policy requiring 2SV.
Connecting
Navigate to Integrations
Go to Settings > Integrations and find Bitbucket in the Developer Tools category.
Where to Find the App
After connecting, you can find the LowerPlane app in Bitbucket:- Per-user: Personal Settings > App authorizations
- Workspace: Workspace Settings > OAuth consumers
Data Access
| Data Type | Access |
|---|---|
| Repository metadata | Read |
| Branch restriction rules | Read |
| Workspace members | Read |
| Pipeline status | Read |
| Member MFA status | Manual evidence only |
| Source code / file contents | No access |
| Commit history / diffs | No access |
| Issues / discussions | No access |