Bitbucket is a powerful Git-based platform that supports DevOps teams with code hosting, automation, and seamless Jira integration. However, using Bitbucket safely requires more than just version control basics. To reduce risk, teams must apply strong bitbucket security controls and follow proven bitbucket security best practices throughout the development lifecycle.
This FAQ answers the most common questions developers ask when working with this platform, from creating branches to managing pipelines safely. Each section provides practical advice to help you avoid mistakes, strengthen your security posture, and keep delivery fast and reliable.
Ready to build securely? Let’s begin with how to create a branch and push code the right way.
What Is Bitbucket?
How Secure Is Bitbucket?
The platform includes several built-in security features to help protect your codebase, such as two-factor authentication, branch permissions, IP allowlists, and app integration controls. These are great starting points. However, they don’t fully cover everything you need to secure your CI/CD workflows and supply chain.
So, is it secure? That depends entirely on how your team uses it. Even with the default protections in place, applying bitbucket security best practices remains essential to avoid:
- Leaked secrets in commits or pipelines
- Over-permissioned service accounts or exposed tokens
- Risky pull request merges or unreviewed code changes
- Insecure third-party apps and unfiltered webhooks
Security here also means maintaining visibility across all code and automation paths, including CI logic in Pipelines. Without that, risks can slip through undetected.
This is where Xygeni adds depth. It strengthens bitbucket security by scanning source code, secrets, infrastructure-as-code, and pipeline workflows in real time. Moreover, it enforces policy controls like blocking merges with unresolved risks or flagging workflows with unsafe permissions.
In short, the platform gives you the tools. Xygeni ensures you use them securely, enabling teams to ship faster while reducing the chances of something critical slipping through.
How to Create a Branch in Bitbucket to Push Code
Creating a branch in Bitbucket helps you work on features, fixes, or experiments without affecting the main codebase. It’s a standard part of Git workflows, but if done without security in mind, it can open doors to risky changes or unreviewed code reaching production.
To create a branch and push code safely:
1. Clone your repository (if you haven’t already):
git clone https://bitbucket.org/your-org/your-repo.git
cd your-repo
2. Create a new branch:
git checkout -b feature/your-branch-name
3.Make your changes and commit:
git add .
git commit -m "Add new feature securely"
4. Push the branch to Bitbucket: bash
git push origin feature/your-branch-name
However, pushing a branch is just the start. To stay secure, always:
- Set up branch permissions in Bitbucket to prevent direct pushes to main
- Require pull request reviews and status checks
- Scan branches for secrets or vulnerable code before merging
- Enforce naming conventions to avoid confusion in shared projects
This is where bitbucket security best practices make a big impact. Xygeni helps by scanning your branch automatically after each push. It detects hardcoded secrets, insecure code patterns, and misconfigurations in pull requests before they get merged—giving your team full visibility without slowing things down.
For an in-depth guide on secure branching, check out
How to merge safely in GitHub with scans and guardrails
(Most practices apply to Bitbucket too.)
How to Clone a Bitbucket Repository
Cloning a repository from Bitbucket is usually the first step when contributing to a project. It creates a local copy of the code so you can work on it, push changes, and collaborate with your team. The command is simple:
git clone https://bitbucket.org/your-org/your-repo.git
Although cloning seems harmless, it can carry security implications, especially in regulated environments or open repositories. For instance, a clone might include:
- Exposed secrets in previous commits
- Vulnerable dependencies in lockfiles
- Misconfigured CI/CD workflows
- Typosquatted packages
That’s why cloning isn’t just a Git operation, it’s part of your bitbucket security posture. Before you run git clone, ask:
- Is the repo private or public? If public, who last audited its contents?
- Do you trust the code’s origin, dependencies, and contributors?
- Have you configured local scanners to catch issues after cloning?
To apply bitbucket security best practices, teams should:
- Enable repository-level scanning for secrets and malware
- Use
.gitignoreto avoid pulling in local files unintentionally - Scan all files and Git history upon cloning
Xygeni strengthens this process by scanning your cloned repo for security risks, including hidden secrets, malicious dependencies, and tampered build configs. It adds visibility and protection from the moment the code touches your machine, helping you shift security left, automatically.
How to Delete a Branch in Bitbucket
Deleting branches in Bitbucket helps keep your repository clean, especially after merging changes. However, doing it carelessly can lead to problems like data loss, broken CI/CD pipelines, or undeleted stale code that still carries secrets or misconfigurations.
To delete a local branch:
git branch -d feature/your-branch-name
To delete a remote branch in Bitbucket:
git push origin --delete feature/your-branch-name
Before deleting any branch, apply these bitbucket security best practices:
- Confirm the branch is fully merged into main or dev
- Scan the branch before deletion to ensure it doesn’t hold any unmerged security fixes, secrets, or IaC misconfigurations
- Avoid deleting critical branches by mistake—set protections in Bitbucket to restrict this
- Check if automated jobs or deployments still depend on the branch, especially in Bitbucket Pipelines
In fact, remnants of deleted branches can still pose risks. For example, secrets committed and later “removed” might still exist in history unless properly scrubbed.
That’s where Xygeni comes in. It continuously monitors your repository branches, including deleted ones, for lingering risks, like hardcoded credentials, vulnerable dependencies, or CI/CD misconfigurations. Even if a branch is gone, Xygeni keeps an audit trail that helps your team understand what was pushed, reviewed, and merged before deletion.
Ultimately, branch cleanup is good practice, but only when done securely.
How to Pull a Repository from Bitbucket
Pulling a repository from Bitbucket keeps your local code up to date. It fetches the latest changes from the remote branch and merges them into your working branch:
git pull origin main
At first, pulling changes might seem like just another routine Git task. Yet, like many daily operations, it can introduce risk if you skip key precautions. Unverified code, outdated dependencies, or accidentally committed secrets can slip through with a single pull.
To apply bitbucket security best practices when syncing your local repo:
- Run
git statusbefore pulling to avoid overwriting uncommitted changes - Review upstream commits instead of assuming everything is safe
- Use signed commits to confirm the identity of contributors
- Automatically scan pulled code for secrets, malware, and policy violations
That’s where Xygeni comes in. It connects directly with your repositories to scan every commit, even those made by other teammates. As soon as you pull, Xygeni validates incoming changes, flags risky code or secrets, and ensures configuration integrity. This way, you stay in sync with the team without inheriting hidden security problems.
How to Create a Branch in Bitbucket to Push Code
Branching is more than just good Git hygiene—it’s a security step. Creating a dedicated branch allows you to isolate your changes, collaborate safely, and reduce the chance of introducing vulnerabilities into the main branch.
You can create and switch to a new branch locally with:
git checkout -b feature/new-featureThen push it to Bitbucket:
git push origin feature/new-feature
However, if not handled carefully, a new branch can quickly introduce security issues. To reduce risk and follow bitbucket security best practices, make sure to:
- Create branches only from trusted sources, such as a clean
mainordevelopbranch - Scan your code before pushing to catch secrets or vulnerable dependencies
- Exclude sensitive files early on, like
.envor local configs - Set protection rules that require code reviews and block force pushes
That’s where Xygeni adds value. It scans your pull requests in real time, detecting exposed secrets, misconfigurations, vulnerable code, and insecure workflows before anything gets merged. This way, you stay secure without slowing down your development flow.
Want to go deeper on safe branching and reviews?
Read how to protect your branches and PRs
How to Clone a Bitbucket Repository
Cloning a Bitbucket repository is usually the first step in contributing to a project. It copies the entire repo, including its history, to your local machine:
git clone https://your-team@bitbucket.org/your-team/your-repo.git
Although this seems simple, cloning also introduces potential bitbucket security concerns, especially when pulling from public or shared repositories.
Here’s how to clone safely:
- Only clone from trusted sources public Bitbucket repos may contain malware, typo-squatted packages, or malicious Git history
- Scan cloned repos immediately, especially before installing dependencies or running setup scripts
- Avoid using personal access tokens directly in URLs, use SSH keys or credential helpers instead
- Check the repo’s history for large binary blobs, exposed secrets, or signs of tampering
Every repository, whether public, internal, or third-party, is scanned immediately after cloning. Xygeni flags hardcoded secrets, vulnerable dependencies, suspicious files, and misconfigurations before any code runs, helping you shift security left with zero disruption.
So while cloning gets you started fast, a secure Bitbucket setup ensures you don’t introduce security debt from day one.
How to Delete a Branch in Bitbucket
Deleting branches in Bitbucket is a good practice once a feature or fix is merged. It helps reduce clutter and lowers the risk of someone pushing to an outdated or unprotected branch.
You can delete a remote branch with:
git push origin --delete feature/old-branch
Or delete it directly in the Bitbucket web UI by navigating to Branches, finding the branch, and clicking Delete.
However, before deleting anything, follow essential bitbucket security best practices:
- Make sure the branch was merged and reviewed to avoid losing context
- Remove stale branches regularly to reduce attack surface
- Check commit history for secrets or sensitive data
- Enforce lifecycle policies through automation or CI workflows
While the platform offers basic deletion controls, Xygeni adds continuous visibility. It monitors every branch for inactivity or hidden risks and supports automated cleanup across your repositories. By keeping your repo lean and clean, you lower the chances of hidden liabilities.
Connecting to Jira and SQL Server Securely
Combining your repo with Jira and SQL Server improves traceability and automation. Still, integrations bring new bitbucket security challenges, especially when credentials or tokens are involved.
For Jira connections:
- Use Atlassian’s native integration to link commits, branches, and PRs with Jira tickets
- Avoid hardcoding Jira tokens or credentials in repo files or CI scripts
- Limit permissions on linked Jira accounts used in automation
For database access:
- Use environment variables to store database connection strings securely
- Avoid embedding SQL secrets in pipeline scripts or
.ymlworkflows - Always audit CI/CD jobs that interact with production databases
Xygeni scans your repo, secrets, and workflow logic to catch unsafe patterns before they go live. It flags leaked Jira tokens, SQL credentials, and insecure script usage so your automation remains safe and compliant.
git branch -m old-name new-name
2. Push the new branch and delete the old one:
git push origin new-name
git push origin --delete old-name3. Update your default branch if needed in Bitbucket settings
4. Reconfigure any Bitbucket Pipelines, access rules, or integrations that referenced the old name
Fromsecurity perspective, renaming branches means rechecking everything attached to the old name:
- Review branch protection settings
- Reapply pipeline triggers and required checks
- Ensure sensitive workflows still follow secure paths
Xygeni helps here by mapping your entire Bitbucket workflow, including branches, pipelines, and policies. If renaming a branch breaks a rule or disables a guardrail, Xygeni will flag it before the mistake becomes a risk.
So yes, you can rename branches in Bitbucket. Just make sure security follows the rename too.
Bitbucket Server: Control Comes with Responsibility
Bitbucket Server is the self-managed version of the platform, preferred by organizations that need full control over their development workflows. Unlike Bitbucket Cloud, it runs on your own infrastructure, giving you more customization, but also placing security squarely on your shoulders.
From an application security and bitbucket security perspective, using Bitbucket Server safely means:
- Applying regular patches and updates to address vulnerabilities
- Enforcing secure configurations for authentication, access control, and SSL
- Isolating the server from the public internet or applying strong firewall rules
- Using secure storage for secrets, tokens, and database credentials
- Monitoring logs for unauthorized access or suspicious activity
Additionally, you should implement bitbucket security best practices like branch protection, permission management, and secure CI/CD workflow, just as you would in the cloud version.
Xygeni strengthens this setup by integrating directly with your self-hosted instance. It continuously scans code, secrets, infrastructure files, and pipeline logic for security risks. Whether you deploy on-premises or in a private cloud, Xygeni adapts to your environment and provides full visibility across your software supply chain.
With Bitbucket Server, you gain control, but with it comes the need for proactive security at every level.
GitLab vs Bitbucket
When comparing GitLab vs Bitbucket, most teams focus on features like CI/CD, code review, and integration options. However, for DevOps teams, the real comparison comes down to developer experience, automation, and security coverage.
Here’s how they stack up in terms of security and application security best practices:
Repository and Access Control
- Bitbucket integrates tightly with Atlassian tools like Jira, making it great for teams already in that ecosystem.
- GitLab offers built-in role-based access controls with fine-grained permissions.
Both platforms support 2FA, IP whitelisting, and audit logs.
CI/CD Security
- GitLab includes native CI/CD with built-in secret detection and policy management.
- Bitbucket Pipelines is simpler but often requires external tools to reach parity in visibility and enforcement.
Xygeni fills this gap for Bitbucket by scanning pipelines, detecting hardcoded secrets, and enforcing policy pre-merge.
Workflow Hardening
- GitLab has security dashboards and vulnerability management as part of its core product.
- Bitbucket relies more on third-party integrations. This can be powerful with the right setup, but risky if left unconfigured.
That’s why many Bitbucket users choose to integrate with Xygeni: to add proactive scanning for dependencies, IaC, GitOps, and secrets, so nothing risky lands in production.
How Xygeni Helps You Apply Bitbucket Security Best Practices
Security in Bitbucket isn’t just about access controls or visibility settings. It’s about protecting every part of your development workflow, from commits and pr to pipeline logic and secrets. That’s where Xygeni steps in.
Xygeni embeds continuous protection across your repositories and automation processes, helping your team stay fast without sacrificing security.
Here’s how it supports your bitbucket security best practices:
- Catches secrets before they spread
Real-time scanning detects hardcoded credentials in code and config files. Xygeni alerts your team before those secrets merge, and can trigger auto-revocation. - Protects your pipelines from misconfiguration
CI/CD pipelines are often overlooked entry points. Xygeni audits YAML files, flags unpinned third-party actions, and checks that tokens follow least privilege. - Filters out noise with smart vulnerability prioritization
Using reachability analysis and EPSS scoring, Xygeni shows only what’s exploitable, helping teams focus on real risks instead of chasing false alarms. - Checks your infrastructure-as-code and GitOps changes
IaC misconfigs can slip through silently. Xygeni scans Terraform, Kubernetes, and other files to catch risks before they hit production. - Connects risk across your SDLC
Instead of isolated alerts, Xygeni maps findings across code, pipelines, and third-party components, so you get full context and traceability. - Fits naturally into your workflow
You don’t have to change how you work. Xygeni integrates with pull requests, pipelines, and merge checks, right inside your Bitbucket environment.
By automating scans, enforcing policies, and highlighting what really matters, Xygeni enables your team to apply bitbucket security effectively without slowing down.
👉 Want to see it in action? Start your free trial and protect your codebase from commit to cloud.
