Skip to main content

Enable Bitbucket pull request comments

Your deployment journey

Semgrep can create pull request (PR) comments in your Bitbucket repository. These comments provide a description of the issue detected by Semgrep and may offer possible solutions. These comments are a means for security teams, or any team responsible for creating standards to help their fellow developers write safe and standards-compliant code.

Automated comments on Bitbucket pull requests are displayed as follows:

Semgrep Bitbucket PR comment Figure An inline Bitbucket pull request comment.

Conditions for PR comment creation

PR comments appear for the following types of scans under these conditions:

Type of scanProduct nameTrigger conditionHow to set up
Static application security testing (SAST)Semgrep CodeA comment appears when a finding is generated by a rule in Comment or Block mode. This means you can fully customize what comments your developers receive.Complete the steps in the following sections:
  1. Confirm your Semgrep account's connection and access to your source code manager.
  2. Configure comments for Semgrep Code.
Software composition analysis (SCA)Semgrep Supply Chain (SSC)A comment appears only when the finding is reachable.Complete the steps in Confirm account connection and access.
SecretsSemgrep SecretsA comment appears on validated secrets.This product is in beta.
Contact to enable comments.

Comments from Supply Chain scans include the following information:

A description of the vulnerability, including the types of attack it is vulnerable to.
Indicates what versions to upgrade to, if any, that resolves or eliminates the vulnerability.
A link to additional information about the vulnerability from GitHub Advisory Database and the National Vulnerability Database (NVD), if available.

Pull or merge requests with vulnerabilities detected by SSC are not blocked from merging.

Supported Bitbucket plans

  • Any of the following Bitbucket plans are supported:
    • Cloud Free
    • Standard
    • Premium
  • Bitbucket Data Center is not supported.

There are two ways in which you can integrate Semgrep comments into Bitbucket Cloud depending on the Bitbucket plan you use:

  • Workspace access token: If you use the Bitbucket Cloud Premium plan, you can create a workspace access token. This option saves time because you can create one access token for all repositories in the workspace. With one workspace access token, you can bulk-onboard more repositories at once from a whole workspace. However, you can also use the option of a repository access token to onboard repositories one by one.
  • Repository access token: If you do not have the Bitbucket Cloud Premium plan, create a separate repository access token for each repository where you want to use Semgrep. This configuration option is also useful if you have the Bitbucket Cloud Premium plan, but prefer to onboard repositories one by one instead of bulk onboarding.

Create and add a workspace access token

  • Bitbucket Cloud Premium plan. If you do not have a Bitbucket Cloud Premium plan, create a repository access token.

Create a workspace access token in Bitbucket (only available if you have a Bitbucket Cloud Premium plan). Fulfill these general steps to create a workspace access token:

  1. Create a workspace access token in Bitbucket with Read and Write permissions for pull requests. Follow the instructions in Create a workspace Access Token in Bitbucket documentation.
  2. Add the workspace access token as a workspace variable with the Secured option.

Continue setting up Bitbucket PR comments by finishing the rest of this guide.

Enable PR comments in Bitbucket


  • In addition to finishing the previous steps in your deployment journey, it is recommended to have completed a full scan on your default branch for the repository in which you want to receive comments.
  • You must have a Bitbucket Cloud workspace access token or a repository access token.

Confirm your Semgrep account's connection

Confirm that you have the correct connection and access:

  1. In your Semgrep AppSec Platform account, click Settings > Source code managers.
  2. Check that an entry for your GitHub org exists and is correct.

Define the BITBUCKET_TOKEN environment variable

To enable PR comments, define the BITBUCKET_TOKEN environment variable in your CI configuration file. Its syntax and placement in your CI configuration file depends on your CI provider. For example, in Bitbucket Pipelines, its syntax is the following:


The following snippet is a sample with BITBUCKET_TOKEN defined in a bitbucket-pipelines.yml file:

image: atlassian/default-image:latest

# ...
- step:
name: 'Run Semgrep diff scan with PR branch'
image: semgrep/semgrep
# ...

Configure comments for Semgrep Code

In addition to setting up the connection between Semgrep and Bitbucket, you must assign rules to Comment or Block mode. This customization enables you to:

  • Manage the amount of PR comments your developers receive.

  • Ensure that only rules that meet your criteria, such as high severity or high confidence rules, produce comments visible to developers, reducing noise.

Rules in Block mode fail the CI job that runs on the PR. Depending on your workflow, this may prevent your PR from merging.

Set rules to Comment or Block mode

The following instructions let you customize what findings or security issues your developers see as comments in their PRs:

  1. In your Semgrep AppSec Platform account, click Rules > Policies. You are taken to the Policies page. Under Modes , you can quickly see if you have existing rules in either Comment or Block mode.
  2. Optional: Use the filters to quickly find rules to set to Comment or Block.
  3. Click the checkbox of the rules you want to set. You can use Ctrl + Click to select rules in bulk.
  4. Click Change modes.
  5. Click either Block or Comment.

You have successfully configured PR comments for Semgrep Code.

Receive comments in your VPN or on-premise SCM

Bitbucket Premium provides access control features for content that your individual account owns. If you use this feature, you need to add several IP addresses into your allowlist.

To enable comments within self-hosted SCMs behind firewalls or VPNs (Virtual Private Networks):

  1. Add the following IP addresses to your VPN's ingress allowlist and egress allowlist, if you have one.
    # These IP addresses are inbound and outbound:
  2. Test that you are able to receive findings by manually triggering a scan through your CI provider.

Receiving PR or MR comments may require additional steps depending on the custom configuration of your VPN or SCM (for example, if you use a static IP without a hostname). Reach out to Semgrep support through the Semgrep Community Slack or send an email to for any concerns.


Only rules set to the Comment and Block rule modes in the Policies page create PR comments.

Next steps

You've finished setting up a core deployment of Semgrep 🎉.

Additional references

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.