Details
-
Bug
-
Resolution: Won't Fix
-
Medium
-
18
-
Description
Hi,
Firstly, we already are aware that Bitbucket Cloud makes no attempt to verify local Git config, such as email and username, and simply checks the SSH key connecting has access/permission.
Consider the 2 following separate situations, which as far as I can tell, are unstoppable and unauditable currently in Bitbucket Cloud. Please correct me if I am wrong about this.
- I create a personal user account, set my local git config to match that user, and then push commits to our team repo.
- I simply add the email and name of a colleague in the same team, and push commits to our team repo.
In both these cases, Bitbucket Cloud will show the Author of the commit as the one in the git local config. There is clearly no attempt to check the authors identity has any access, or even has the used SSH key attached (it does not).
The team audit log does not show any commit history. The commits page in the repository only shows the spoofed information.
Please tell me how an Enterprise organisation with its own auditing requirements, is supposed to prevent or audit this. Surely I have missed something?