Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to hide sensitive parameters when running Bitbucket Shell Runner?

KwanjungJU
KwanjungJU
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 2, 2025

 

Hello,

I'm running a Bitbucket Shell Runner on Linux using systemd.

I already moved some parameters to an environment file, and that partially worked.
However, sensitive information such as OAuth client ID, OAuth client secret still appear in systemctl status output because they are passed as Java -D options.

Also, according to a chat-bot based search, there seems to be no official support for loading secrets automatically from an env file in start.sh

Is there an official or recommended way to securely pass secrets to the runner without exposing them in the process list?

 

Thanks

Answer
Watch
Like Be the first to like this
49 views

1 answer

0 votes
Alexander Nilsson
Alexander Nilsson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
Get recognized
December 3, 2025

Hello KwanjungJU,

welcome to the community!

Unfortunately, there's no official way to hide OAuth client ID/secret from the Bitbucket Shell Runner's process list (ps/systemctl status). The start.sh passes them as -D Java options, making them visible.

Systemd env files help with unit files but not the final Java command line. The recommended approach is treating the runner host as trusted infrastructure:

  • Dedicated VM/host with restricted SSH/sudo access
  • OS hardening (limited users, SELinux/AppArmor)
  • Regular OAuth credential rotation

For stricter isolation, we recommend using a dedicated hardened node per trust boundary. This means:

  • Separate runner VMs or servers for different teams or departments to isolate access.
  • Each node has its own OAuth credentials and is accessible only by its specific admins.
  • Network segmentation to restrict access further, such as placing runner nodes in isolated subnets with limited external access.
  • Optionally, use ephemeral VMs that can be re-provisioned regularly to reduce risk.

This approach ensures that, even if one node or team is compromised, OAuth secrets from other trust boundaries remain protected. Since Bitbucket Shell Runner has no built-in secret-hiding feature, isolating runners this way is the only practical method to protect secrets from local users on the host.

Greetings,

Alex

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security