Bitbucket Dependency Vulnerability Alert
When a Bitbucket security/dependency scan flags a vulnerability (or on a scheduled check of advisories against the repo's dependencies), the flow opens a tracked Dataverse remediation item, posts the severity and affected package to a security Teams channel, and emails the repo owner. Escalates critical CVEs immediately. Closes the loop on dependency risk.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow closes the loop on dependency risk in Bitbucket. On a daily schedule it lists every repository in the configured Bitbucket workspace, reads the dependency-vulnerability annotations from each repo's latest security-scan report (Bitbucket Code Insights), opens a tracked Dataverse remediation item per finding, posts the severity and affected package to a security Microsoft Teams channel, and — for critical CVEs — immediately emails the repo owner via Outlook.
Why it matters: Vulnerability alerts that aren't tracked get ignored. Turning each finding into an owned, tracked remediation item with severity-based escalation drives them to closure.
Status: Built and shipped Off (demo). Going live requires only authorizing the four connections and setting the environment-variable values — no logic changes.
Use Case
A dev/security team wants dependency vulnerabilities surfaced, owned, and tracked rather than buried in scan output. Each daily run produces a Dataverse audit trail, a Teams notification stream for the security channel, and high-importance email escalations for critical findings.
Flow Architecture
Recurrence
Recurrence (Day / 1)Daily advisory check across the configured Bitbucket workspace.
Initialize variables
Initialize VariableLoad the nine env-var values into variables and mint a correlationId (guid()) stamped on every record for tracing.
List Bitbucket Repositories
Bitbucket ListRepositoriesList all repos in the workspace.
Apply to each Repository
Foreach (concurrency 1)For each repo: get the latest commit (HTTP, Bearer), extract the commit hash, then read the security-report annotations for that commit (HTTP, Bearer).
Apply to each Finding
Foreach (concurrency 1)For each vulnerability finding: upper-case the severity, open a tracked Dataverse remediation record (owner, severity, CVE), and post the severity + affected package to the security Teams channel.
Critical escalation
Condition (If) + Outlook SendEmailV2 (High)When severity equals the configured critical label, immediately email the repo owner a High-importance escalation.
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_BitbucketWorkspace | String | your-workspace | Workspace (account) slug to scan |
| flowlibs_BitbucketApiBaseUrl | String | https://api.bitbucket.org/2.0 | Bitbucket Cloud REST base URL |
| flowlibs_BitbucketAccessToken | String | REPLACE_WITH_BITBUCKET_ACCESS_TOKEN | Repository/workspace access token (report:read + repository:read) |
| flowlibs_SecurityReportId | String | flowlibs-depscan | Code Insights security report id whose annotations are read |
| flowlibs_RemediationTable | String | flowlibs_vulnremediation | Dataverse logical name of the tracking table |
| flowlibs_CriticalSeverity | String | CRITICAL | Severity label that triggers immediate escalation |
| flowlibs_SecTeamsGroupId | String | REPLACE_WITH_TEAMS_GROUP_ID | Security Teams group/team id |
| flowlibs_SecTeamsChannelId | String | REPLACE_WITH_TEAMS_CHANNEL_ID | Security Teams channel id |
| flowlibs_RepoOwnerEmail | String | security@yourcompany.com | Fallback repo-owner email for escalation |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Bitbucket | shared_bitbucket | ListRepositories |
| Microsoft Dataverse | shared_commondataserviceforapps | CreateRecord |
| Microsoft Teams | shared_teams | PostMessageToConversation |
| Office 365 Outlook | shared_office365 | SendEmailV2 |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Auto-PR
- Add a Bitbucket step (HTTP) to open a dependency-bump pull request for a known fix version.
- SLA by severity
- Store a per-severity remediation deadline on the Dataverse row and drive reminders from it.
- Suppression list
- Check a Dataverse accepted-risk table before opening a new item to skip known exceptions.
- Per-repo owner
- Replace the single flowlibs_RepoOwnerEmail with a lookup (Dataverse or repo metadata) so escalation emails route to the actual owner.
- Scanner swap
- Repoint the two HTTP calls at any scanner that exposes findings (Snyk, Dependabot, OSV.dev) and adjust the severity/package/CVE field reads.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Severity normalise
Upper-cases the finding severity.
EXPR.02Critical gate
Escalation gate for critical findings.
EXPR.03Commit hash
Latest commit hash with a HEAD fallback.
EXPR.04Item title
Remediation item title built from package + CVE.
EXPR.05Annotations URI
Code Insights annotations endpoint for the commit.
Customize & download
Generate a ready-to-import copy of this solution with your environment-variable values baked in — available on Base, Pro, or Team.
Upgrade to customize
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.