Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Audit security commit from unknown user

This is related to:


When a user has a improperly configured email on their PC, they can push commits that show up as "unknown" or "this user cannot be mapped to an Atlassian account".

Knowing who just pushed a commit is dependent on the person pushing the commit telling you they are the ones who pushed the commit. They must either tell you in person or properly configure their email before pushing the commit. Otherwise they can configure random information and push a commit that shows up as a unknown user.

My main issue is this can also be used by malicious people to push commits from "unknown" users and we can't tell who's machine or key was compromised.

We have a lot of commits from unknown users. While we think we've been able to verify most of them, we aren't certain they are all authorized commits.

In 2017 (see article) it was said there was no way to disallow this from happening. Are there any better options today? Are their any Atlassian workflows that can be adopted to prevent commits from unknown users.







1 answer

0 votes
Caroline R
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Sep 22, 2022

Hi, @travistst, thank you for reaching out to Atlassian Community.

You are correct, credentials and commit authors are two separate concepts and are unrelated to each other. So, when a push is made to Bitbucket, we receive the user credentials and check if the provided credentials are able to push to the repository the user is trying to. If the HTTPS or SSH credentials are correct, the push is performed, otherwise, it will fail. This is what we use to check for security and confirm the user who is pushing to Bitbucket is who they say they are.

The commit author, which is a different configuration from their credentials, is not checked on push time, and this is expected. What you see on the commits page is this configuration coming from Git, and not the credentials used to authenticate against Bitbucket. 

So what we recommend in this case is to ask the users who work on this workspace to run the following commands on their accounts and confirm if their emails are configured correctly: 

git config --global --list

git config --local --list

git config --system --list

Just to clarify, in order to set the username and email on Git, they can run these commands:

Set your username:
git config --global "FIRST_NAME LAST_NAME"

Set your email:
git config --global ""

We still have that feature request to prevent unknown committers from pushing to a repository, so I would suggest that you add your vote there (by selecting the Vote for this issue link) as the number of votes helps the development team and product managers better understand the demand for new features:

You are more than welcome to leave any feedback, and you can also add yourself as a watcher (by selecting the Start watching this issue link) if you'd like to get notified via email on updates.

Implementation of new features is done as per our policy here and any updates will be posted in the feature request. 

Kind regards,

Suggest an answer

Log in or Sign up to answer
Site Admin
AUG Leaders

Atlassian Community Events