16

We have Bitbucket Cloud not Bitbucket Server. Is there a way to modify the "pre-receive" functions on Bitbucket? Goal is to audit pushes to make sure there's no obvious vulnerabilities before the code is available on Bitbucket. Git-hooks might work but there's not really a way to get them into version control in the same repo - the only way I can think of doing that would be to ssh into a Bitbucket server and modify the remote repo but I don't think you can do that?

My only guess is there might be a way to keep the pre-receive hooks in source control by putting the hook somewhere like this in the repo:

.bitbucket/pre-receive

But it's hard to find any info on this online.

Alexander Mills
  • 90,741
  • 139
  • 482
  • 817
  • 1
    this seems relevant: https://bitbucket.org/site/master/issues/10471/git-server-side-pre-receive-hook-bb-11418 – Alexander Mills May 13 '19 at 04:35
  • this is how to do it on Github but not Bitbucket (still not obvious how to actually do it on Github tho): https://help.github.com/en/enterprise/2.16/admin/developer-workflow/creating-a-pre-receive-hook-script – Alexander Mills May 13 '19 at 04:35
  • 1
    The GitHub documentation is talking about GitHub Enterprise Server, a product you would install on your own infrastructure. GitHub as in github.com _does not_ support creating pre-receive hooks at all. This is pretty much the norm - no self hosted provider will let you write your own arbitrary code and run it on the same infrastructure that holds your git repo, there's too much danger of you breaking out into other data on the same physical storage. Until someone figures out a foolproof way to do this, you'll need to find another way. – daveruinseverything May 24 '19 at 10:58
  • Ah yes from a security point of view, I can see why they have it that way - writing arbitrary server side code is just not gonna be allowed. I have confidence what you're saying is a good answer, so please make an answer out of your comment? – Alexander Mills May 29 '19 at 06:37
  • That being said, if there were some pre-receive plugins that could be used that were certified or christened by Bitbucket, that'd be nice. Mostly people need to scan their own code for vulnerabilities before it makes it to the wrong place on Bitbucket servers. I don't necessarily need custom code, just some plugins. – Alexander Mills May 29 '19 at 06:39

1 Answers1

5

Unfortunately, this isn't possible.

The GitHub documentation is talking about GitHub Enterprise Server, a product you would install on your own infrastructure. GitHub as in github.com does not support creating pre-receive hooks at all. This is pretty much the norm amongst the popular cloud git hosting providers - no cloud provider will let you write your own arbitrary code and run it on the same infrastructure that holds your git repo, there's too much danger of you breaking out into other data on the same physical storage.

Until someone develops a safe/sandboxed implementation of server-side hooks, you'll need to find another way.

Full disclosure: I work for Atlassian (though I don't work on Bitbucket Cloud)

daveruinseverything
  • 4,775
  • 28
  • 40