Reject non-trusted build status

XMLWordPrintable

      In Bitbucket Server/DC 7.4 a new build status API was added and it includes the concept of "Trusted Build Status". This is used to ensure Bitbucket does not show Logs and Artifacts links for any build status that is not known to come from a trusted source. This is done so fraudulent build status reports can't contain malicious URLs which are then presented in the web UI.

      Currently Bitbucket ships with integrations for Bamboo and Jenkins with support for trusted build status, although it is a plugin point so anyone can write a P2 plugin that enables this richer build integration.

      This feature request suggests allowing administrators to configure Bitbucket to reject non-trusted build status, that would include:

      • Any build status posted to the "new" API that cannot be verified; and
      • All build status posted to the legacy build status API (because they can never have a trust relationship established back to the submitting server)
      Shipping in 8.15

      The above described feature will ship in Bitbucket 8.15. It will be possible to configure Bitbucket to reject untrusted build status by adding the following to your bitbucket.properties file, and restarting:
      build.status.reject-untrusted=true

      At the time of writing Bitbucket only contains support for trusted build status verification for Bamboo and for Jenkins where the Atlassian maintained Jenkins plugin is used. A plugin extension point however does exist and it is possible to build support for other sources of build status.

            Assignee:
            Unassigned
            Reporter:
            Ben Humphreys
            Votes:
            2 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: