Bitbucket Pipelines Security

Secured variables, deployment permissions, and pipe security

Bitbucket Pipelines

Security

security

secrets

variables

permissions

Use in Builder All Bitbucket Pipelines Options

Details

Language / Topic

Bitbucket Pipelines

Rules

Bitbucket Pipelines Security · balanced balanced

- Mark all sensitive variables as "Secured" in repository settings — Bitbucket encrypts them and masks values in build logs

- Use deployment variables for environment-specific secrets; they are only available to steps with a matching deployment: environment

- Restrict write access to the repository — any user with write access can modify bitbucket-pipelines.yml and exfiltrate pipeline variables

- Pin third-party pipes to specific version tags (e.g., atlassian/aws-s3-deploy:1.0.2), never use latest or unversioned references

- Never echo, print, or write secured variables to files in scripts — Bitbucket masks exact matches but not encoded or partial values

- Secured variables: mark as "Secured" via the padlock icon in repository/workspace settings; values are encrypted at rest and masked in logs

- Variable hierarchy precedence: pipeline step > deployment > repository > workspace — higher scopes are overridden by more specific ones

- Deployment variables: scoped to a specific environment (test, staging, production); only injected when a step specifies deployment: <env>

- Use deployment environment permissions to restrict who can trigger production deployments — separate dev and prod access

- Never echo secured variables or pass them as CLI arguments (visible in ps output) — write to temp files with restrictive permissions if needed

- Bitbucket masks exact variable value matches in logs but cannot mask base64-encoded, URL-encoded, or substring variations — avoid transformations

- Pin all third-party pipes to explicit version tags: atlassian/aws-s3-deploy:1.0.2, not :latest or :1 (minor/patch tags can shift)

- Restrict repository write access rigorously — anyone with write access can alter the pipeline YAML to exfiltrate variables to external endpoints

- Use workspace-level variables for shared secrets (NPM tokens, Docker registry credentials) to avoid duplicating across repositories

- Use OIDC authentication with cloud providers (AWS, GCP, Azure) via atlassian/bitbucket-pipe-oidc where available — eliminates stored long-lived credentials

- Add IP allowlisting on critical infrastructure (registries, cloud accounts) to restrict access to Bitbucket Pipelines IP ranges only