Bitbucket Cloud
Supported on Enterprise plans.
Available via the Web app.
Site admins can sync Git repositories hosted on Bitbucket Cloud with Sourcegraph so that users can search and navigate the repositories.
To connect Bitbucket Cloud to Sourcegraph:
- Go to Site admin > Manage code hosts > Add repositories.
- Select Bitbucket.org.
- Configure the connection to Bitbucket Cloud using the action buttons above the text field. Additional fields can be added using Cmd/Ctrl+Space for auto-completion. See the configuration documentation below.
- Press Add repositories.
Repository syncing
Currently, all repositories belonging to the user configured will be synced.
In addition, there is one more field for configuring which repositories are mirrored:
- teamsA list of teams (workspaces) that the configured user has access to whose repositories should be synced.
- excludeA list of repositories to exclude, which takes precedence over the- teamsfield.
Configuration options
Bitbucket Cloud code host connections can be configured with either a username and app password combination, or with workspace access tokens.
Username and app password
- Visit your Bitbucket account settings page.
- Navigate to App passwords.
- Select Create app password.
- Give your app password a label.
- Select the Projects: Readpermission.Repositories: Readshould automatically be selected.
- Press Create.
Use the newly created app password and your username to configure the Bitbucket Cloud connection:
JSON{ "url": "https://bitbucket.org", "username": "USERNAME", "appPassword": "<PASSWORD>", // ... other settings }
Workspace access token
- Visit the Bitbucket Cloud workspace settings page of the workspace you want to create an access token for.
- Navigate to Security > Access tokens.
- Press Create workspace access token.
- Give your access token a name.
- Select the Projects: Readpermission.Repositories: Readshould automatically be selected.
- Press Create.
Use the newly created access token to configure the Bitbucket Cloud connection:
JSON{ "url": "https://bitbucket.org", "accessToken": "ACCESS_TOKEN", // ... other settings }
HTTPS cloning
Sourcegraph clones repositories from your Bitbucket Cloud via HTTP(S), using the username and appPassword required fields you provide in the configuration.
Rate limits
Read about how Bitbucket Cloud applies rate limits here.
When Sourcegraph encounters rate limits on Bitbucket Cloud, it will retry the request with exponential back-off, until 5 minutes have passed. If the connection is still being rate limited after 5 minutes, the request will be dropped.
Internal rate limits
User authentication
To configure Bitbucket Cloud as an authentication provider (which will enable sign-in via Bitbucket Cloud), see the authentication documentation.
Repository permissions
Prerequisite: Add Bitbucket Cloud as an authentication provider.
Then, add or edit a Bitbucket Cloud connection as described above and include the authorization field:
JSON{ // The URL used to set up the Bitbucket Cloud authentication provider must match this URL. "url": "https://bitbucket.com", "username": "horsten", "appPassword": "$APP_PASSWORD", // ... "authorization": {} }
NOTE: It can take some time to complete full cycle of repository permissions sync if you have a large number of users or repositories. See sync duration time for more information.
Configuration
Bitbucket Cloud connections support the following configuration options, which are specified in the JSON editor in the site admin "Manage code hosts" area.
admin/code_hosts/bitbucket_cloud.schema.json
JSON{ "$id": "bitbucket_cloud.schema.json#", "$schema": "http://json-schema.org/draft-07/schema#", "additionalProperties": false, "allowComments": true, "description": "Configuration for a connection to Bitbucket Cloud.", "oneOf": [ { "allOf": [ { "required": [ "accessToken" ] }, { "not": { "required": [ "username" ] } }, { "not": { "required": [ "appPassword" ] } } ] }, { "not": { "required": [ "accessToken" ] }, "required": [ "username", "appPassword" ] } ], "properties": { "accessToken": { "description": "The workspace access token to use when authenticating with Bitbucket Cloud.", "type": "string" }, "apiURL": { "description": "The API URL of Bitbucket Cloud, such as https://api.bitbucket.org. Generally, admin should not modify the value of this option because Bitbucket Cloud is a public hosting platform.", "examples": [ "https://api.bitbucket.org" ], "format": "uri", "not": { "pattern": "example\\.com", "type": "string" }, "pattern": "^https?://", "type": "string" }, "appPassword": { "description": "The app password to use when authenticating to the Bitbucket Cloud. Also set the corresponding \"username\" field.", "type": "string" }, "authorization": { "description": "If non-null, enforces Bitbucket Cloud repository permissions. This requires that there is an item in the [site configuration json](https://sourcegraph.com/docs/admin/config/site_config#auth-providers) `auth.providers` field, of type \"bitbucketcloud\" with the same `url` field as specified in this `BitbucketCloudConnection`.", "properties": { "identityProvider": { "description": "The identity provider to use for user information. If not set, the `url` field is used.", "type": "string" } }, "title": "BitbucketCloudAuthorization", "type": "object" }, "exclude": { "description": "A list of repositories to never mirror from Bitbucket Cloud. Takes precedence over \"teams\" configuration.\n\nSupports excluding by name ({\"name\": \"myorg/myrepo\"}) or by UUID ({\"uuid\": \"{fceb73c7-cef6-4abe-956d-e471281126bd}\"}).", "examples": [ [ { "name": "myorg/myrepo" }, { "uuid": "{fceb73c7-cef6-4abe-956d-e471281126bc}" } ], [ { "name": "myorg/myrepo" }, { "name": "myorg/myotherrepo" }, { "pattern": "^topsecretproject/.*" } ] ], "items": { "additionalProperties": false, "anyOf": [ { "required": [ "name" ] }, { "required": [ "uuid" ] }, { "required": [ "pattern" ] } ], "properties": { "name": { "description": "The name of a Bitbucket Cloud repo (\"myorg/myrepo\") to exclude from mirroring.", "pattern": "^[\\w-]+/[\\w.-]+$", "type": "string" }, "pattern": { "description": "Regular expression which matches against the name of a Bitbucket Cloud repo.", "format": "regex", "type": "string" }, "uuid": { "description": "The UUID of a Bitbucket Cloud repo (as returned by the Bitbucket Cloud's API) to exclude from mirroring.", "pattern": "^\\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\\}$", "type": "string" } }, "title": "ExcludedBitbucketCloudRepo", "type": "object" }, "type": "array" }, "gitSSHCipher": { "$ref": "git.schema.json#/definitions/gitSSHCipher", "description": "SSH cipher to use when cloning via SSH. Must be a valid choice from `ssh -Q cipher`." }, "gitSSHCredential": { "$ref": "git.schema.json#/definitions/gitSSHCredential", "description": "SSH keys to use when cloning Git repo." }, "gitURLType": { "default": "http", "description": "The type of Git URLs to use for cloning and fetching Git repositories on this Bitbucket Cloud.\n\nIf \"http\", Sourcegraph will access Bitbucket Cloud repositories using Git URLs of the form https://bitbucket.org/myteam/myproject.git.\n\nIf \"ssh\", Sourcegraph will access Bitbucket Cloud repositories using Git URLs of the form git@bitbucket.org:myteam/myproject.git. See the documentation for how to provide SSH private keys and known_hosts: https://sourcegraph.com/docs/admin/repo/auth#repositories-that-need-http-s-or-ssh-authentication.", "enum": [ "http", "ssh" ], "examples": [ "ssh" ], "type": "string" }, "maxDeletions": { "default": 0, "description": "The maximum number of repos that will be deleted per sync. A value of 0 or less indicates no maximum.", "type": "integer" }, "rateLimit": { "default": { "enabled": true, "requestsPerHour": 7200 }, "description": "Rate limit applied when making background API requests to Bitbucket Cloud.", "properties": { "enabled": { "default": true, "description": "true if rate limiting is enabled.", "type": "boolean" }, "requestsPerHour": { "default": 7200, "description": "Requests per hour permitted. This is an average, calculated per second. Internally, the burst limit is set to 500, which implies that for a requests per hour limit as low as 1, users will continue to be able to send a maximum of 500 requests immediately, provided that the complexity cost of each request is 1.", "minimum": 0, "type": "number" } }, "required": [ "enabled", "requestsPerHour" ], "title": "BitbucketCloudRateLimit", "type": "object" }, "repos": { "description": "An array of repository \"projectKey/repositorySlug\" strings specifying repositories to mirror on Sourcegraph.", "examples": [ [ "myproject/myrepo", "myproject/myotherrepo" ] ], "items": { "pattern": "^~?[\\w-]+/[\\w.-]+$", "type": "string" }, "type": "array" }, "repositoryPathPattern": { "default": "{host}/{nameWithOwner}", "description": "The pattern used to generate the corresponding Sourcegraph repository name for a Bitbucket Cloud repository.\n\n - \"{host}\" is replaced with the Bitbucket Cloud URL's host (such as bitbucket.org), and \"{nameWithOwner}\" is replaced with the Bitbucket Cloud repository's \"owner/path\" (such as \"myorg/myrepo\").\n\nFor example, if your Bitbucket Cloud is https://bitbucket.org and your Sourcegraph is https://src.example.com, then a repositoryPathPattern of \"{host}/{nameWithOwner}\" would mean that a Bitbucket Cloud repository at https://bitbucket.org/alice/my-repo is available on Sourcegraph at https://src.example.com/bitbucket.org/alice/my-repo.\n\nIt is important that the Sourcegraph repository name generated with this pattern be unique to this code host. If different code hosts generate repository names that collide, Sourcegraph's behavior is undefined.", "type": "string" }, "teams": { "description": "An array of team names identifying Bitbucket Cloud teams whose repositories should be mirrored on Sourcegraph.", "examples": [ [ "name" ], [ "kubernetes", "golang", "facebook" ] ], "items": { "pattern": "^[\\w-]+$", "type": "string" }, "type": "array" }, "url": { "!go": { "typeName": "NormalizedURL" }, "description": "URL of Bitbucket Cloud, such as https://bitbucket.org. Generally, admin should not modify the value of this option because Bitbucket Cloud is a public hosting platform.", "examples": [ "https://bitbucket.org" ], "format": "uri", "not": { "pattern": "example\\.com", "type": "string" }, "pattern": "^https?://", "type": "string" }, "username": { "description": "The username to use when authenticating to the Bitbucket Cloud. Also set the corresponding \"appPassword\" field.", "type": "string" }, "webhookSecret": { "deprecationMessage": "Deprecated in favour of first class webhooks. See https://sourcegraph.com/docs/admin/config/webhooks/incoming#deprecation-notice", "description": "A shared secret used to authenticate incoming webhooks (minimum 12 characters).", "minLength": 12, "type": "string" } }, "required": [ "url" ], "title": "BitbucketCloudConnection", "type": "object" }
Configuration Notes
Bitbucket Cloud connections provide streamlined configuration for cloud-hosted repositories:
- Authentication Options: Support for both username/app password and workspace access tokens
- Repository Selection: Uses teamsfor workspace-based syncing andexcludefor filtering unwanted repositories
- Path Patterns: The repositoryPathPatternfield uses{host}and{nameWithOwner}variables for repository naming
- Workspace Access: Workspace access tokens provide more granular control than user-based app passwords
Authentication Methods
Bitbucket Cloud supports two primary authentication approaches:
- Username/App Password: User-scoped access with app passwords created in personal settings
- Workspace Access Token: Workspace-scoped access tokens with fine-grained permissions
- Projects/Repositories Permissions: Both methods require Projects: ReadandRepositories: Readpermissions
Rate Limiting Configuration
Bitbucket Cloud connections include rate limiting for API management:
- Default: 7,200 requests per hour with rate limiting enabled
- Bitbucket Cloud enforces API request limits based on plan type
- Sourcegraph implements exponential backoff for rate limit handling
Security Considerations
Authentication Security
App Passwords: Provide user-level access with specific permissions:
- Create app passwords with minimal required permissions (Projects: Read,Repositories: Read)
- Use dedicated service accounts rather than personal accounts when possible
- App passwords inherit the user's repository access permissions
- Regularly audit and rotate app passwords
Workspace Access Tokens: Provide workspace-level access control:
- More secure than user-based app passwords for organizational use
- Scoped to specific workspaces, limiting access surface
- Support fine-grained permissions for better security posture
- Recommended for production deployments
Repository Permissions
Bitbucket Cloud permission syncing considerations:
- Permission syncing requires Bitbucket Cloud as an authentication provider
- User access is determined by their Bitbucket Cloud account permissions
- Workspace access tokens provide read-only access to repositories
- OAuth flow ensures proper user authentication and authorization
HTTPS Security
Bitbucket Cloud connections use HTTPS by default:
- All API communication is encrypted using TLS
- Git operations use HTTPS with authentication credentials
- SSH access is supported but requires additional key configuration
- No custom certificate configuration needed for cloud service
Common Examples
Basic Team Sync with App Password
JSON{ "url": "https://bitbucket.org", "username": "sourcegraph-bot", "appPassword": "ATBBxxxxxxxxxxxxxxxxxx", "teams": [ "engineering-team", "platform-team" ] }
Workspace Access Token Configuration
JSON{ "url": "https://bitbucket.org", "accessToken": "BBAR-xxxxxxxxxxxxxxxxxx", "teams": ["my-workspace"], "exclude": [ {"name": "my-workspace/legacy-project"}, {"pattern": "^.*-archive$"} ] }
SSH Access with Custom Path Pattern
JSON{ "url": "https://bitbucket.org", "username": "deployment-user", "appPassword": "ATBBxxxxxxxxxxxxxxxxxx", "teams": ["mobile-apps"], "gitURLType": "ssh", "repositoryPathPattern": "bitbucket/{nameWithOwner}" }
Repository Permissions with OAuth
JSON{ "url": "https://bitbucket.org", "accessToken": "BBAR-xxxxxxxxxxxxxxxxxx", "teams": ["enterprise-workspace"], "authorization": {}, "exclude": [ {"name": "enterprise-workspace/internal-docs"} ] }
High-volume Configuration with Rate Limiting
JSON{ "url": "https://bitbucket.org", "accessToken": "BBAR-xxxxxxxxxxxxxxxxxx", "teams": ["large-organization"], "rateLimit": { "enabled": true, "requestsPerHour": 5000 }, "webhookSecret": "your-webhook-secret-here" }
Best Practices
Authentication Management
- Use workspace access tokens for production deployments instead of personal app passwords
- Create dedicated service accounts when using username/app password authentication
- Apply least-privilege principles by granting only necessary permissions
- Regularly audit token usage and rotate credentials periodically
Repository Organization
- Organize by workspaces using the teamsfield to sync relevant repositories
- Use exclusion patterns to filter out archived, experimental, or sensitive repositories
- Implement consistent naming with repositoryPathPatternfor better organization
- Monitor workspace changes as team membership affects repository access
Performance Optimization
- Configure appropriate rate limits to stay within Bitbucket Cloud's API limits
- Use workspace access tokens for better rate limit handling
- Monitor API usage to avoid hitting plan-based limits
- Optimize team selections to sync only necessary repositories
Security Management
- Enable repository permissions by configuring Bitbucket Cloud as an auth provider
- Use workspace access tokens for better security isolation
- Implement webhook security with strong shared secrets
- Regularly review team membership to ensure appropriate repository access
Maintenance
- Monitor connection health through the site admin interface
- Review team configurations as organizational structure changes
- Update exclusion patterns when repository naming conventions change
- Test authentication changes in staging environments before production deployment
Webhooks
Using the webhooks property on the external service has been deprecated.
Please consult this page in order to configure webhooks.