Wiz

Bitbucket Security Best Practices Cheat Sheet

Download now

Step 1 of 3

Key Takeaways
  • Identity & Access Management:Enforce SSO and 2FA via your IdP, prioritize SSH keys over passwords, and use SCIM as your "cleanup crew" to automate the user lifecycle.
  • Repository & Project Hardening:Protect your "crown jewels" by mandating branch protection rules, requiring pull request reviews, and applying permissions at the most granular level.
  • CI/CD & Pipeline Hardening:Treat your pipeline as a "privileged assembly line" by isolating runners, masking secured variables, and scanning open-source dependencies.

This cheat sheet is designed for:

  • Platform Engineers / Bitbucket Administrators: Harden configurations for Cloud or Data Center deployments, manage user lifecycles, and standardize secure defaults across the workspace.

  • DevSecOps & DevOps Professionals: Secure the CI/CD assembly line by locking down runner access, securing pipeline secrets, and embedding SCA and container scanning.

  • Security Engineers: Apply proven hardening and monitoring strategies to prevent token abuse, secrets leakage, and supply chain compromise using native Bitbucket controls.

  • Security Leaders & IT Managers: Move from basic hygiene to a robust, defensible security posture with a practical roadmap to reduce organizational risk.

  • Compliance & Audit Teams: Improve visibility through advanced auditing and use Atlassian Guard to enforce org-wide settings and regulatory traceability.

What’s included?

  • Centralized Identity & Access (IAM): Strategies for enforcing MFA, utilizing SCIM for auto-deprovisioning, and setting context-aware conditional access policies.

  • Repository & Project Lock down: How to mandate branch protection, require successful builds before merging, and utilize the Bitbucket hierarchy for granular control.

  • CI/CD Pipeline Hardening: Best practices for isolating runner network access and securing secrets using masked variables or external vaults like HashiCorp Vault.

  • Secrets & Sensitive Data Protection: Guidance on deploying automated secrets scanning across full Git history and using pre-receive hooks to block leaks.

  • Self-Hosted (Data Center) Hardening: Specific controls for patching, vetting third-party plugins, and ensuring backups are "more than just a theory" through test restores.

Secure Coding Toolkit

What Is Secure Coding? Overview and Best Practices

Secure coding is the practice of developing software that is resistant to security vulnerabilities by applying security best practices, techniques, and tools early in development.

Read more

CI/CD Pipeline Security Best Practices 2026

Learn about CI/CD pipeline security best practices to protect your software lifecycle from vulnerabilities and attacks while maintaining development velocity.

Read more

Policy as Code: Benefits, Examples, and How to Get Started

Learn how policy as code helps teams enforce security, reduce misconfigurations, and improve cloud governance with automated rules across environments.

Read more

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo