Bitbucket Commit Compliance Checker
When commits are pushed to Bitbucket, the flow checks each commit message against policy (linked ticket key, conventional-commit format, no secrets/keywords) and flags violations by commenting on the commit/PR and posting to Teams. Repeated violations notify the lead. Enforces commit hygiene and traceability automatically.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow enforces commit hygiene and traceability on a Bitbucket repository. It is triggered the moment code is pushed: the Bitbucket push webhook delivers every commit in the push, and the flow evaluates each commit message against three policies — (1) it references a required ticket key, (2) it follows the Conventional Commits format, and (3) it contains no secret/credential keywords. Any violating commit is commented on directly in Bitbucket and posted to a Teams channel. If the number of violating commits in a single push reaches a configurable threshold, the dev lead is emailed a consolidated summary.
Why it matters: Consistent, traceable commit messages make history searchable and audits painless. Automating the check enforces the standard continuously without nagging during code review.
> Demo state: Ships Off. Going live requires only (a) authorizing the Bitbucket, Teams, and Outlook connections, (b) setting the environment-variable values, and (c) ensuring the Bitbucket repo webhook is registered (the connector registers it automatically when the flow is turned on).
Use Case
A development team wants every commit message to reference a work item and follow a house style, with automatic, low-friction enforcement and a secret-leak safety net — without adding a manual gate to code review.
Flow Architecture
When Code Is Pushed To Bitbucket
Bitbucket CreateHookRepositoryPush (OpenApiConnectionWebhook)Fires on every push; body carries push.changes[].commits[].
Initialize variables
Initialize VariableBind each environment variable to a working variable (workspace, repo slug, API base, ticket prefix, conventional prefixes, forbidden keywords, threshold, Teams group/channel, lead email), plus a violation counter (0) and an HTML violation-summary accumulator.
For each change / For each commit
Foreach (sequential, nested)Iterate each branch change in the push, then each commit. For each commit: filter forbidden-keyword matches, evaluate ticket-key presence, Conventional-Commit prefix, and secret count, and compose an is-violation boolean.
Flag violating commit
Condition (If)If a violation: compose the failed-check reasons, increment the push-level counter, append the commit to the HTML summary, post a comment on the offending commit via Bitbucket REST (HTTP POST), and post the violation to the Teams channel (runs even if the comment call fails).
Escalate repeated violations
Condition (If) + Outlook SendEmailV2If the violation count reaches the threshold, email the dev lead the consolidated summary (High importance).
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_BitbucketWorkspace | String | your-workspace | Bitbucket workspace slug — trigger account and REST URL. |
| flowlibs_BitbucketRepoSlug | String | REPLACE_WITH_REPO_SLUG | Repository slug — trigger slug and REST URL. |
| flowlibs_BitbucketApiBaseUrl | String | https://api.bitbucket.org/2.0 | Bitbucket Cloud REST base URL for the comment call. |
| flowlibs_BitbucketAccessToken | String | REPLACE_WITH_BITBUCKET_ACCESS_TOKEN | Repository/workspace access token (Bearer) for the comment REST call. |
| flowlibs_CommitTicketKeyPrefix | String | PROJ- | Required ticket/issue key prefix a compliant message must contain. |
| flowlibs_ConventionalCommitPrefixes | String | feat,fix,docs,style,refactor,perf,test,build,ci,chore,revert | Allowed Conventional-Commit type prefixes. |
| flowlibs_CommitForbiddenKeywords | String | password,secret,api_key,apikey,private_key,access_key,-----BEGIN | Secret/credential keywords that must not appear. |
| flowlibs_CommitViolationThreshold | String | 2 | Violating commits in one push that triggers the lead email. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Bitbucket | shared_bitbucket | CreateHookRepositoryPush |
| Microsoft Teams | shared_teams | PostMessageToConversation |
| Office 365 Outlook | shared_office365 | SendEmailV2 |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Ticket regex vs. prefix
- Power Automate has no native regex, so ticket detection checks for the configured prefix (flowlibs_CommitTicketKeyPrefix). For a stricter match (e.g. [A-Z]+-[0-9]+), add an Azure Function/Office Script call or validate downstream.
- PR gate
- Extend the violation branch to set a failing Bitbucket commit build status so the PR can be blocked on merge.
- Auto-link
- Parse the ticket key and create/comment on the matching Jira issue.
- Grace period
- Add a warn-only mode (skip the comment, post to Teams only) for a rollout window.
- Per-author escalation
- Swap the in-run counter for a Dataverse ledger to escalate on repeated offenders across pushes.
- Secret detection is best-effort
- Keyword match only; pair it with a real secret-scanning tool for production.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Has ticket key
Compliant messages must contain the configured ticket prefix.
EXPR.02Is Conventional Commit
Parses the type token before the first :/( .
EXPR.03Is violation
True if any of the three checks fail.
EXPR.04Short hash
Seven-character short hash for display.
EXPR.05Should escalate
Escalates when violations reach the threshold.
Customize & download
Generate a ready-to-import copy of this solution with your environment-variable values baked in — available on Base, Pro, or Team.
Upgrade to customize
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.