Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Update dashboard and branch views to be consistent across products
• Add action link on a scan error to direct users to information about the error

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Update dashboard and branch views to be consistent across products
• Add action link on a scan error to direct users to information about the error

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• If two branches point to the same exact commit, don't double-count those vulnerabilities when displaying finding counts in the dashboard.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• If two branches point to the same exact commit, don't double-count those vulnerabilities when displaying finding counts in the dashboard.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Globally review findings with CSV uploads. See our documentation for more details.
• Bugfixes and improvements related to database query performance.
• UI bugfix in the Settings page where custom rules would sometimes not disappear when deleted.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Globally review findings with CSV uploads. See our documentation for more details.
• Bugfixes and improvements related to database query performance.
• UI bugfix in the Settings page where custom rules would sometimes not disappear when deleted.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Add a new option to exclude finding text from exports. (documentation)
• Update hook messages to clarify that findings are "potential" vulnerabilities.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Add a new option to exclude finding text from exports. (documentation)
• Update hook messages to clarify that findings are "potential" vulnerabilities.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• CSV exports of findings now include new columns (described in the documentation) to locate finding text more precisely. Exports now contain all data required to mark findings reviewed.
• CSV column names have been capitalized in finding exports, and the "type" column has been renamed "Rule".

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• CSV exports of findings now include new columns (described in the documentation) to locate finding text more precisely. Exports now contain all data required to mark findings reviewed.
• CSV column names have been capitalized in finding exports, and the "type" column has been renamed "Rule".

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Mitigated potential CSV injection attacks in exports.
• Fixed an issue where scans could get stuck in the queue due to lack of server resources.
• UI Bugfixes.
• Added Audit Log events for the following:
  • When the Security Hook warns about or blocks any commits.
  • When a scan is triggered.
• Created a new setting allowing easy debug logging.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Mitigated potential CSV injection attacks in exports.
• Fixed an issue where scans could get stuck in the queue due to lack of server resources.
• UI Bugfixes.
• Added Audit Log events for the following:
  • When the Security Hook warns about or blocks any commits.
  • When a scan is triggered.
• Created a new setting allowing easy debug logging.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Fixed a rare issue with scans that could have shown the incorrect state for scans if the plugin was disabled while scans were running.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Fixed a rare issue with scans that could have shown the incorrect state for scans if the plugin was disabled while scans were running.

Note this update will mark scans as outdated!

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Reduces the false positive rate in some built-in rules. Note that if these rules are enabled, then scans will be marked as out of date, and your instance will need to be re-scanned.
  • AWS_SECRET_ACCESS_KEY
  • MAILCHIMP_API_KEY

Note this update will mark scans as outdated!

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Reduces the false positive rate in some built-in rules. Note that if these rules are enabled, then scans will be marked as out of date, and your instance will need to be re-scanned.
  • AWS_SECRET_ACCESS_KEY
  • MAILCHIMP_API_KEY

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Optimize database upgrades when upgrading from very old versions of the application (1.x.x)

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Optimize database upgrades when upgrading from very old versions of the application (1.x.x)

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Updates outdated package SnakeYAML to the latest version, 2.0. Previous versions of Security for Bitbucket have been analyzed to not permit exploits of CVEs in older SnakeYAML versions. This new version of SnakeYAML removes these attack surfaces.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Updates outdated package SnakeYAML to the latest version, 2.0. Previous versions of Security for Bitbucket have been analyzed to not permit exploits of CVEs in older SnakeYAML versions. This new version of SnakeYAML removes these attack surfaces.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Fixes UI bugs related to managing scanning rules

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Fixes UI bugs related to managing scanning rules

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Show line offsets in push rejection messages.
• Allow for the skip scan commit message pragma to be used to fix malformed soteri-security.yml files.
• Minor robustness improvements.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Show line offsets in push rejection messages.
• Allow for the skip scan commit message pragma to be used to fix malformed soteri-security.yml files.
• Minor robustness improvements.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Streamlined appearance of findings in the branch scan report

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Streamlined appearance of findings in the branch scan report

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Handle and report unexpected exceptions more robustly.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Handle and report unexpected exceptions more robustly.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• UI Improvements

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• UI Improvements

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Reduce false positives when scanning for AWS Client IDs

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Reduce false positives when scanning for AWS Client IDs

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Detect new fine-grained Github personal access tokens. Note: this update contains a rule definition, which will mark old scans as out of date.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Detect new fine-grained Github personal access tokens. Note: this update contains a rule definition, which will mark old scans as out of date.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Bitbucket 8 compatibility fixes.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Bitbucket 8 compatibility fixes.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• This release fixes errors in some upgrade paths which have affected a small percentage of users.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• This release fixes errors in some upgrade paths which have affected a small percentage of users.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Automatically detect when a re-scan is needed in all cases, and remove the "Force Rescan" option
• Expand findings by default in the Branch Scan Report

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Automatically detect when a re-scan is needed in all cases, and remove the "Force Rescan" option
• Expand findings by default in the Branch Scan Report

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Work around issues caused by using git 2.36+ with Bitbucket 7. This configuration is not supported by Atlassian, but has been found in a number of customer deployments.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Work around issues caused by using git 2.36+ with Bitbucket 7. This configuration is not supported by Atlassian, but has been found in a number of customer deployments.

Version 4.0 introduces optimized scanning which can result in a 10x+ speedup when scanning repositories with many branches.

Also in this release: export reviewed findings, to facilitate auditing what has been marked reviewed.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Version 4.0 introduces optimized scanning which can result in a 10x+ speedup when scanning repositories with many branches.

Also in this release: export reviewed findings, to facilitate auditing what has been marked reviewed.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Now compatible with Bitbucket 8+

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Now compatible with Bitbucket 8+

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Added Audit Log messages indicating when findings are marked or unmarked reviewed, and who did so

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Added Audit Log messages indicating when findings are marked or unmarked reviewed, and who did so

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Security for Bitbucket Settings changes, hook bypasses, and per-repo configuration file changes now create Audit Events which are viewable in Bitbucket's Audit Log GUI.
• Bitbucket 6 is no longer supported.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Security for Bitbucket Settings changes, hook bypasses, and per-repo configuration file changes now create Audit Events which are viewable in Bitbucket's Audit Log GUI.
• Bitbucket 6 is no longer supported.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Fix case where plugin can incorrectly block repository imports.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Fix case where plugin can incorrectly block repository imports.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Tweak the color used to highlight findings
• Reduce false positives in AWS_SECRET_ACCESS_KEY

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Tweak the color used to highlight findings
• Reduce false positives in AWS_SECRET_ACCESS_KEY

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• For each discovered vulnerability, the Branch Scan Report now highlights the exact text that triggers the rule.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• For each discovered vulnerability, the Branch Scan Report now highlights the exact text that triggers the rule.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Added a repository-level dashboard, giving developers greater ability in scanning for, reviewing, and exporting vulnerabilities in their repositories.
• Added additional UI improvements.
• Added financial built-in rules to detect American bank routing numbers, Social Security numbers, and credit card numbers.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Added a repository-level dashboard, giving developers greater ability in scanning for, reviewing, and exporting vulnerabilities in their repositories.
• Added additional UI improvements.
• Added financial built-in rules to detect American bank routing numbers, Social Security numbers, and credit card numbers.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Dramatically reduces the rate of false positives for many built-in rules with entropy filters. Please note that installing this update will mark scans as out of date as built-in rule definitions have changed.
• Reduces Bitbucket performance impact during Security for Bitbucket updates.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Dramatically reduces the rate of false positives for many built-in rules with entropy filters. Please note that installing this update will mark scans as out of date as built-in rule definitions have changed.
• Reduces Bitbucket performance impact during Security for Bitbucket updates.

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Project admins now have their own dashboard from which they can schedule scans, view vulnerabilities, and export reports for repositories/branches in their projects

Notable enhancements since version 2.0:

• Interactively review and hide false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Project admins now get their own dashboard
• Email notifications upon scan completion
• Scans display as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Project admins now have their own dashboard from which they can schedule scans, view vulnerabilities, and export reports for repositories/branches in their projects

Notable enhancements since version 2.0:

• Interactively reviewing and hiding false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Email notifications upon scan completion
• Scans displayed as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• New pre-receive hook prevents changes which invalidate soteri-security.yml file.
• Bugfixes and improvements for custom rules.

Notable enhancements since version 2.0:

• Interactively reviewing and hiding false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Email notifications upon scan completion
• Scans displayed as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• New pre-receive hook prevents changes which invalidate soteri-security.yml file.
• Bugfixes and improvements for custom rules.

Notable enhancements since version 2.0:

• Interactively reviewing and hiding false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Email notifications upon scan completion
• Scans displayed as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• After scans are complete, built-in or custom rule changes will now invalidate those scans so users have a more accurate report.
• Additional UI improvements.

Notable enhancements since version 2.0:

• Interactively reviewing and hiding false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Email notifications upon scan completion
• Scans displayed as out of date when the rules change
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• After scans are complete, built-in or custom rule changes will now invalidate those scans so users have a more accurate report.
• Additional UI improvements.

Notable enhancements since version 2.0:

• Interactively reviewing and hiding false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Email notifications upon scan completion
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Fix issues upgrading from very old plugin versions

Notable enhancements since version 2.0:

• Interactively reviewing and hiding false positives
• Grant access to settings to additional users and groups
• Warn-only and override-on modes for the security hook
• Email notifications upon scan completion
• Bypass the security hook via a special string in the commit message
• New and updated built-in scan rules, including detecting Trojan Source vulnerabilities
• Dramatic performance improvements

Changes since the previous version:

• Fixes issues upgrading from very old plugin versions

• The global dashboard now supports sorting projects, repositories, and branches in vulnerability order
• Performance fix -- add missing database index
• Address rare timeout on extremely loaded instances

• The global dashboard now supports sorting projects, repositories, and branches in vulnerability order
• Performance fix -- add missing database index
• Address rare timeout on extremely loaded instances

• Added a merge hook which rejects merges to the default branch which have a malformed per-repo configuration file
• Added a REST API call which makes it easier to restore default scanning behavior

• Added a merge hook which rejects merges to the default branch which have a malformed per-repo configuration file

• Added a REST API call which makes it easier to restore default scanning behavior

• Fixes issue where cancelling queued scans doesn't stop queueing new scans.
• Fixes issue which would sometimes cause scan failures for repositories with many files.
• REST API improvements for fetching project & repository status.

• Fixes issue where cancelling queued scans doesn't stop queueing new scans.
• Fixes issue which would sometimes cause scan failures for repositories with many files.
• REST API improvements for fetching project & repository status.

• Don't hide the export button when there are no findings.
• Switch olds package names from com.mohami to io.soteri, to simplify support troubleshooting.

• Don't hide the export button when there are no findings.
• Switch olds package names from com.mohami to io.soteri, to simplify support troubleshooting.

• Per-repository configuration is now loaded from the latest commit of the default branch of the repository. For more information on why we made this change, read our blog post on this feature and reference our documentation.
• Various bug fixes and improvements.

• Per-repository configuration is now loaded from the latest commit of the default branch of the repository. For more information on why we made this change, read our blog post on this feature and reference our documentation.
• Various bug fixes and improvements.

• Global exports and total_rescan APIs now include personal repositories.
• Fixes an issue in the global dashboard which could cause a project to be displayed more than once.

• Global exports and total_rescan APIs now include personal repositories.
• Fixes an issue in the global dashboard which could cause a project to be displayed more than once.

• Display the Trojan Source Unicode characters in the scan report. See documentation for a screenshot.
• Add a REST API for configuring which nodes in a Bitbucket Data Center cluster run scans. See documentation for more details.
• Minor bug fixes.

• Display the Trojan Source Unicode characters in the scan report. See documentation for a screenshot.
• Add a REST API for configuring which nodes in a Bitbucket Data Center cluster run scans. See documentation for more details.
• Minor bug fixes.

This critical update includes a new built-in rule, enabled by default, which detects potential Trojan Source attacks. See Soteri's recommendations for mitigating these attacks here.

This release also contains:

• Performance improvements when running scans.
• Mitigation for rare cases where the total_rescan API does not scan all repositories.

• Performance improvements when running scans.
• Mitigation for rare cases where the total_rescan API does not scan all repositories.

• Performance improvements in the global dashboard
• Minor styling issue fix in the global dashboard
• Log messages generated when rules and settings are changed

• Performance improvements in the global dashboard

• Minor styling issue fix in the global dashboard

• Log messages generated when rules and settings are changed

• Adds a new security hook configuration which overrides the security hook on. This configuration prevents disabling the hook in repository settings, and works on personal repositories too. See documentation for more details.

• Adds a new security hook configuration which overrides the security hook on. This configuration prevents disabling the hook in repository settings, and works on personal repositories too. See documentation for more details.

• Allows the user to easily configure in the UI the number of parallel scans that can be done.
• Fixes an issue with exporting extremely large reports.

• Allows the user to easily configure in the UI the number of parallel scans that can be done.
• Fixes an issue with exporting extremely large reports.

• Automatically distributes scans among all nodes in Bitbucket Data Center clusters, proportionally increasing scan throughput. See Scan Performance Tuning for details.
• Save number of parallel scans across Bitbucket reboots.

• Automatically distributes scans among all nodes in Bitbucket Data Center clusters, proportionally increasing scan throughput. See Scan Performance Tuning for details.

• Save number of parallel scans across Bitbucket reboots

• Fix Oracle DB compatibility issues introduced in 3.3.0. These issues prevented users from viewing the scan report.

• Fix Oracle DB compatibility issues introduced in 3.3.0. These issues prevented users from viewing the scan report.

• Prevent rare issue where multi-node installations would persistently show stale data on the global dashboard.

• Prevent rare issue where multi-node installations would persistently show stale data on the global dashboard.

• Fixes an issue where scans which were cancelled, or had some sort of error when run, would not be scheduled without force-scanning.

• Fixes an issue where scans which were cancelled, or had some sort of error when run, would not be scheduled without force-scanning.

• Hide false positives with the click of a button! Once reviewed they are also ignored in all future scans. For more information, see the documentation.

• Hide false positives with the click of a button! Once reviewed they are also ignored in all future scans. For more information, see the documentation.

• Fix issue where projects with 1000 or more repositories would not have all repositories scanned when doing project-level scans.
• Fix database issue when upgrading from Security for Bitbucket v1 to v3.

• Fix issue where projects with 1000 or more repositories would not have all repositories scanned when doing project-level scans.
• Fix database issue when upgrading from Security for Bitbucket v1 to v3.

• Optimize memory usage for report exports. This should prevent using too much memory in resource constrained instances.
• Fix in-app links to documentation.

See the full documentation for this version here.

• Optimize memory usage for report exports. This should prevent using too much memory in resource constrained instances.
• Fix in-app links to documentation.

• Rename "whitelist" to "allowlist" in the UI. Note that the allowlist pragmas remain the same so this is mostly a cosmetic change.
• The only functional change is renaming the "includeWhitelisted" REST API parameters.

• Rename "whitelist" to "allowlist" in the UI. Note that the allowlist pragmas remain the same so this is mostly a cosmetic change.
• The only functional change is renaming the "includeWhitelisted" REST API parameters.

• Optimization in memory usage while scanning

• Optimization in memory usage while scanning

• SOTERIA-177: Add email notification parameters to bulk scanning REST API, to get notifications on scan completion. Significantly improve scan queuing speed.

• SOTERIA-177: Add email notification parameters to bulk scanning REST API, to get notifications on scan completion. Significantly improve scan queuing speed.

• SOTERIA-217 This release changes the plugin logo to match the overall Soteri rebranding.

• SOTERIA-217 This release changes the plugin logo to match the overall Soteri rebranding.

• SOTERIA-193 - Fix Scan Report UI for repositories with >100 branches.

• SOTERIA-193 - Fix Scan Report UI for repositories with >100 branches.

• SOTERIA-202 Fix custom message when hook is used in warn-only mode

• SOTERIA-202 Fix custom message when hook is used in warn-only mode

• SOTERIA-156 You can now choose which users and groups get to access the Global Scan Report page. Read more about it here.

• SOTERIA-156 You can now choose which users and groups get to access the Global Scan Report page. Read more about it here.

• SOTERIA-194 -- Rather than exporting every scan every performed, just export the latest scan for each branch.

• SOTERIA-194 -- Rather than exporting every scan every performed, just export the latest scan for each branch.

• SOTERIA-197 - Alphabetize rules in scan results dropdown
• SOTERIA-69 - Handle common regular expression issues in custom rules

• SOTERIA-197 - Alphabetize rules in scan results dropdown
• SOTERIA-69 - Handle common regular expression issues in custom rules

• SOTERIA-164 Large exports are now dramatically faster

• SOTERIA-164 Large exports are now dramatically faster

• SOTERIA-191 Log a message to the Bitbucket log whenever the **bypass-soteri-security-check** string is used to bypass the pre-receive hook

• SOTERIA-191 Log a message to the Bitbucket log whenever the **bypass-soteri-security-check** string is used to bypass the pre-receive hook

• SOTERIA-173 - Improve built-in rule detection. Add support for detecting LinkedIn Client Secrets.
• SOTERIA-179 - Allow bypassing the security commit hook with special string "**skip-soteri-security-check**" in the commit message.
• SOTERIA-182 - Add built-in rules for detecting secrets for Sendgrid, Shopify, PyPI, Dynatrace, Azure. Alphabetize rules on the configuration page.

• SOTERIA-173 - Improve built-in rule detection. Add support for detecting LinkedIn Client Secrets.
• SOTERIA-179 - Allow bypassing the security commit hook with special string "**skip-soteri-security-check**" in the commit message.
• SOTERIA-182 - Add built-in rules for detecting secrets for Sendgrid, Shopify, PyPI, Dynatrace, Azure. Alphabetize rules on the configuration page.

• SOTERIA-181 - Detect new Github Authentication Token Format

• SOTERIA-181 - Detect new Github Authentication Token Format

• SOTERIA-170 - Don't display an ASCII Banner in Web UI Contexts
• SOTERIA-178 - Add more detailed logging when the hook rejects a commit.

• SOTERIA-170 - Don't display an ASCII Banner in Web UI Contexts
• SOTERIA-178 - Add more detailed logging when the hook rejects a commit.