Unlike for github and gitlab, this repository does not validate signatures for bitbucket webhooks. This is a major security issue.

For bitbucket webhooks, there are two pieces of information:

• UUID
• HMAC secret

They cannot be the same, as the HMAC secret must not appear in the message itself.

The HMAC signing was added in 2023: https://www.atlassian.com/blog/bitbucket/enhanced-webhook-security

Currently this repository check the UUID but it does not check the HMAC signature.