Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Audit security commit from unknown user

travistst
travistst September 19, 2022

This is related to:

https://community.atlassian.com/t5/Bitbucket-questions/Is-there-a-way-to-disable-commits-from-unknown-users-on-a/qaq-p/624451

 

When a user has a improperly configured email on their PC, they can push commits that show up as "unknown" or "this user cannot be mapped to an Atlassian account".

Knowing who just pushed a commit is dependent on the person pushing the commit telling you they are the ones who pushed the commit. They must either tell you in person or properly configure their email before pushing the commit. Otherwise they can configure random information and push a commit that shows up as a unknown user.

My main issue is this can also be used by malicious people to push commits from "unknown" users and we can't tell who's machine or key was compromised.

We have a lot of commits from unknown users. While we think we've been able to verify most of them, we aren't certain they are all authorized commits.

In 2017 (see article) it was said there was no way to disallow this from happening. Are there any better options today? Are their any Atlassian workflows that can be adopted to prevent commits from unknown users.

 

 

 

 

 

 

Answer
Watch
Like Be the first to like this
568 views

1 answer

0 votes
Caroline R
Caroline R
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 22, 2022

Hi, @travistst, thank you for reaching out to Atlassian Community.

You are correct, credentials and commit authors are two separate concepts and are unrelated to each other. So, when a push is made to Bitbucket, we receive the user credentials and check if the provided credentials are able to push to the repository the user is trying to. If the HTTPS or SSH credentials are correct, the push is performed, otherwise, it will fail. This is what we use to check for security and confirm the user who is pushing to Bitbucket is who they say they are.

The commit author, which is a different configuration from their credentials, is not checked on push time, and this is expected. What you see on the commits page is this configuration coming from Git, and not the credentials used to authenticate against Bitbucket. 

So what we recommend in this case is to ask the users who work on this workspace to run the following commands on their accounts and confirm if their emails are configured correctly: 

git config --global --list

git config --local --list

git config --system --list

Just to clarify, in order to set the username and email on Git, they can run these commands:

Set your username:
git config --global user.name "FIRST_NAME LAST_NAME"

Set your email:
git config --global user.email "MY_NAME@example.com"

We still have that feature request to prevent unknown committers from pushing to a repository, so I would suggest that you add your vote there (by selecting the Vote for this issue link) as the number of votes helps the development team and product managers better understand the demand for new features:

You are more than welcome to leave any feedback, and you can also add yourself as a watcher (by selecting the Start watching this issue link) if you'd like to get notified via email on updates.

Implementation of new features is done as per our policy here and any updates will be posted in the feature request. 

Kind regards,
Caroline

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.