Skip to main content
  • Semgrep Cloud Platform
  • Team & Enterprise Tier

Enabling Bitbucket pull request comments

  • You must have a Bitbucket Cloud Free, Standard, or Premium plan. Bitbucket Data Center is not supported.
  • Bitbucket PR comments can only be enabled through Semgrep Cloud Platform (SCP). Create an account to set up Slack notifications.
  • To receive alerts and notifications, you must add or onboard a project (repository) to Semgrep Cloud Platform for scanning.

There are two ways in which you can integrate Semgrep comments into Bitbucket Cloud depending on the Bitbucket plan you use:

  • Workspace access token: If you use the Bitbucket Cloud Premium plan, you can create a workspace access token. This option saves time because you can create one access token for all repositories in the workspace. With one workspace access token, you can bulk-onboard more repositories at once from a whole workspace. See Creating a workspace access token. However, you can also use the option of a repository access token to onboard repositories one by one.
  • Repository access token: If you do not have the Bitbucket Cloud Premium plan, create a separate repository access token for each repository where you want to use Semgrep. This configuration option is also useful if you have the Bitbucket Cloud Premium plan, but prefer to onboard repositories one by one instead of bulk onboarding. See Creating a repository access token.

Creating and adding a workspace access token

  • Bitbucket Cloud Premium plan. If you do not have a Bitbucket Cloud Premium plan, create a repository access token.

Create a workspace access token in Bitbucket (only available if you have a Bitbucket Cloud Premium plan). Fulfill these general steps to create a workspace access token:

  1. Create a workspace access token in Bitbucket with Read and Write permissions for pull requests. Follow the instructions in Create a workspace Access Token in Bitbucket documentation.
  2. Add the workspace access token as a workspace variable with the Secured option.

To complete the configuration, follow the Enabling PR comments in Bitbucket Cloud section.

Enabling PR comments in Bitbucket Cloud


To enable PR comments, define the BITBUCKET_TOKEN environment variable in your CI configuration file. Its syntax and placement in your CI configuration file depends on your CI provider. For example, in Bitbucket Pipelines, its syntax is the following:


The following snippet is a sample with BITBUCKET_TOKEN defined in a bitbucket-pipelines.yml file:

image: atlassian/default-image:latest

# ...
- step:
name: 'Run Semgrep diff scan with PR branch'
image: returntocorp/semgrep
# ...

After defining the BITBUCKET_TOKEN, you have successfully set up PR comments in Bitbucket Cloud.


Only rules set to the Comment and Block rule modes in the Policies page create PR comments.

Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help, or check out other ways to get help.