This project provides a centralized and automated way to scan selected Bitbucket repositories for leaked secrets (e.g., API keys, passwords, tokens) using the open-source TruffleHog tool. It is designed to run in Bitbucket Pipelines and send summary results to a Microsoft Teams channel.
- Clones and scans specific Bitbucket repositories
- Uses TruffleHog to detect verified secrets
- Scans all branches and full commit history
- Sends a clean, concise summary of results to a Teams channel
- Produces JSON reports as downloadable artifacts
.
├── bitbucket-pipelines.yml # Defines the pipeline and scanning steps
├── ignore_repos.txt # list of repos that should not be scanned
├── scan_repos.sh # Script to clone & scan selected repos
├── notify_teams.sh # Script to summarize results & send to Teams
└── reports/ # Auto-generated scan reports (JSON)
Go to Repository Settings → Repository Variables, and add the following:
| Variable Name | Description | Example / Notes |
|---|---|---|
TEAMS_WEBHOOK_URL |
Incoming webhook for Microsoft Teams | Get from your Teams channel |
BB_USERNAME |
(If scanning private repos) Your Bitbucket username | Optional unless using HTTPS auth |
BB_APP_PASSWORD |
(If scanning private repos) Bitbucket App Password | See Bitbucket → App Passwords |
To scan the configured repositories manually:
- Commit changes to
main - Go to Bitbucket → Pipelines → Run Pipeline
- Select
mainBranch - Select
custom: trufflehog-scan-selectedPipeline - Click Run
To run scans daily or weekly:
- Go to Repository Settings → Pipelines → Schedules
- Add a new schedule:
- Branch:
main - Pipeline:
exposed-secrets-scanner - Frequency: Daily or Weekly
- Branch:
To scan specific repositories, edit the list inside scan_repos.sh:
REPOS=(
"https://bitbucket.org/your-org/repo-one.git"
"https://bitbucket.org/your-org/repo-two.git"
)