Atlassian Bitbucket
AtlassianCI/CD5 credentials
Database Password
atlassian-bitbucket / database-password
Bitbucket Data Center stores external database connection details in bitbucket.properties under the Bitbucket home directory. Atlassian documents that the database username and password are stored there after database migration.
Looks like
pattern^jdbc\.(user|username|password)\s*=\s*[^\r\n]*$Location
$BITBUCKET_HOME/shared/bitbucket.propertiesshared home properties file for Bitbucket Data Center
Bitbucket home backups, migration exports, database-migration dump bundles
Notes
Database access can expose repositories metadata, pull request data, user directory state, plugin configuration, and stored integration state. The Bitbucket home directory and its backups should be treated as credential-bearing artifacts.
Local User / Administrator Password
atlassian-bitbucket / local-user-admin-password
Bitbucket local users, including administrators created by setup or by operators, authenticate with passwords stored in the configured user directory. For the internal directory, password material is database state rather than a plaintext file in Bitbucket home.
Looks like
patterncwd_user.*credential[^\s:@]+:[^\s:]+Location
internal user directory tables, including cwd_user credential data
/loginBitbucket web login for local users and administrators
Git over HTTPS and Bitbucket REST API Basic authentication
legacy scripts, Git remote URLs, and integration configs
Notes
There is no universal shipped Bitbucket administrator password. The setup flow or an operator creates administrator credentials, and later users may come from local, LDAP, Crowd, SSO, or other configured directories.
Data Center HTTP Access Token
atlassian-bitbucket / data-center-http-access-token
Bitbucket Data Center HTTP access tokens can be created for users, projects, and repositories. Atlassian documents them as replacements for passwords in Git over HTTPS and REST API authentication.
Looks like
patternAuthorization:\s*Bearer\s+[^\s]+Location
BITBUCKET_TOKEN, BITBUCKET_ACCESS_TOKENGit remotes, automation scripts, CI configuration, deployment tooling
Git and REST client debug logs when Authorization headers are printed
CI/CD secret stores and deployment variables
Notes
User tokens, project tokens, and repository tokens have different scopes and permissions. Project and repository tokens must be used with Bearer authentication rather than as a username/password pair.
Bitbucket Cloud API Token / App Password
atlassian-bitbucket / cloud-api-token-app-password
Bitbucket Cloud API tokens and legacy app passwords are user-scoped tokens for scripts, CI/CD tools, and Git or API access. Atlassian documents API tokens as the long-term replacement for app passwords.
Looks like
pattern[^\s:@]+:[^\s:]+Authorization:\s*Basic\s+[A-Za-z0-9+/=]+Location
Git remote URLs, build scripts, Terraform providers, deployment automation
BITBUCKET_USERNAME, BITBUCKET_APP_PASSWORD, BITBUCKET_API_TOKEN~/.git-credentialsGit credential helper storage for HTTPS remotes
pipeline variables and cloud secret managers used by integrations
Notes
These credentials are tied to an individual Bitbucket Cloud account and inherit the scopes selected at creation. Treat a leaked token according to both its scopes and the repositories or workspaces reachable by the account.
SSH Private Key
atlassian-bitbucket / ssh-private-key
Bitbucket Data Center and Bitbucket Cloud support SSH keys for Git access. Users add public keys to Bitbucket; the private key remains on the client, build agent, deployment server, or CI secret store.
Looks like
pattern-----BEGIN (OPENSSH|RSA|EC|DSA) PRIVATE KEY-----Location
~/.ssh/id_*, ~/.ssh/*_bitbucket*developer machines, build agents, and deployment hosts
CI/CD variables and deployment-platform SSH key stores
accidentally committed deployment keys or local test keys
Notes
The private key's blast radius is defined by the Bitbucket account, repository access key, or deployment workflow that trusts the public key. Read/write keys can push code and are supply-chain sensitive.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.