Rahul Singh

Posted on Mar 29 • Originally published at aicodereview.cc

Bitbucket Code Review: Best AI Tools and Practices (2026)

#codereview #ai #programming #tools

Why Bitbucket code review matters

Bitbucket is not just "the other Git hosting platform." It is the code hosting backbone for teams embedded in the Atlassian ecosystem - organizations that run their project management in Jira, their documentation in Confluence, and their incident response in Opsgenie. For these teams, Bitbucket is not an interchangeable commodity. It is the Git layer that ties their entire software delivery workflow together.

That integration advantage also creates a challenge. The code review tooling ecosystem for Bitbucket is smaller than what GitHub and GitLab users enjoy. Many AI code review tools launched with GitHub-only support and added GitLab months later. Bitbucket support often comes last, if it comes at all. Some tools list Bitbucket on their marketing pages but only support Cloud, not Data Center. Others require workarounds through Bitbucket Pipelines rather than offering native app integrations.

This guide cuts through that ambiguity. I tested 8 code review tools specifically for their Bitbucket integration quality - not just whether they claim Bitbucket support, but how well they actually work with Bitbucket Cloud and Data Center in practice. For each tool, I cover the integration method, setup steps, bitbucket-pipelines.yml configuration where applicable, features, and pricing.

Bitbucket maintains a meaningful share of the enterprise market. Atlassian reported over 200,000 organizations using Bitbucket as of 2025, and the platform's deep Jira integration makes it the default choice for teams that track work in Jira. If your team is on Bitbucket, you should not have to compromise on review tool quality just because the ecosystem is smaller than GitHub's.

Bitbucket's built-in review features

Before adding third-party tools, it is worth understanding what Bitbucket gives you out of the box. The built-in review features are solid for basic workflows and form the foundation that external tools build on top of.

Pull request reviews

Bitbucket's pull request interface supports the core review workflow: viewing diffs, leaving comments on specific lines, approving or requesting changes, and tracking review status. Reviewers can view changes file-by-file or as a unified diff, and the interface highlights which files have been viewed to help track review progress across large PRs.

Inline comments and tasks

Reviewers can leave inline comments on any line of a diff. These comments support Markdown formatting, code blocks, and @mentions to bring other team members into the discussion. Bitbucket also supports tasks - comments that can be marked as actionable items that the PR author must resolve before merging. This is a lightweight but effective way to track required changes without external tooling.

Default reviewers

Bitbucket lets you configure default reviewers at the repository level. You can set specific users or groups to be automatically added as reviewers on every PR, or conditionally based on the target branch. For example, you might require a senior engineer to review any PR targeting main while allowing peer reviews for feature-to-develop merges. Default reviewer rules can be configured under Repository settings > Default reviewers.

Merge checks and branch permissions

Bitbucket supports several merge checks that act as quality gates:

Minimum approvals - Require a minimum number of reviewer approvals before a PR can be merged
No unresolved tasks - Block merge until all tasks in the PR are resolved
Successful builds - Require all linked pipeline builds to pass
Branch permissions - Restrict who can push directly to protected branches and who can merge PRs

These checks are configured under Repository settings > Branch restrictions (Cloud) or Branch permissions (Data Center).

Merge strategies

Bitbucket Cloud supports three merge strategies that you can configure per repository:

Merge commit - Creates a merge commit preserving all individual commits from the source branch
Squash - Combines all commits from the source branch into a single commit on the target branch
Fast-forward - Moves the target branch pointer forward without creating a merge commit (only available when no divergence exists)

You can set a default merge strategy and optionally restrict which strategies are available to developers, ensuring consistent Git history across the team.

Cloud vs Data Center: what you need to know

The distinction between Bitbucket Cloud and Bitbucket Data Center has significant implications for which review tools you can use and how you integrate them.

Feature comparison

Feature	Bitbucket Cloud	Bitbucket Data Center
Hosting	Atlassian-managed SaaS	Self-hosted on your infrastructure
App marketplace	Atlassian Marketplace (Cloud apps)	Atlassian Marketplace (Data Center apps)
Pipelines	Built-in CI/CD	Requires external CI (Jenkins, Bamboo, etc.)
API	REST API v2.0	REST API (different endpoints)
Webhooks	Native webhook support	Native webhook support
PR status checks	Build status API	Build status API (different format)
Pricing	Per user (Free / Standard / Premium)	Annual license based on user count
Bitbucket Server	N/A	Server reached end-of-life Feb 2024

Tool compatibility implications

This distinction matters because most third-party review tools integrate differently - or not at all - across the two products:

Bitbucket Cloud apps install through the Atlassian Marketplace and use OAuth 2.0 for authentication. Tools like CodeRabbit and Codacy install as Cloud apps with native PR commenting via the Bitbucket API.
Bitbucket Data Center plugins are installed on the self-hosted instance. SonarQube's Bitbucket plugin, for example, posts PR decoration directly to Data Center instances.
Pipeline-based tools (Semgrep, Snyk) work identically on Cloud because they run inside Bitbucket Pipelines. On Data Center, you need to replicate the same scans in your external CI system (Jenkins, Bamboo, or similar).

If you are on Bitbucket Data Center, verify that your chosen tool explicitly supports it. "Bitbucket support" on a marketing page usually means Bitbucket Cloud only.

8 tools tested with Bitbucket

1. CodeRabbit - Best overall AI code review for Bitbucket

Integration method: Bitbucket Cloud app (Atlassian Marketplace)

CodeRabbit provides the most comprehensive AI-powered code review experience available for Bitbucket Cloud. It installs as a native Bitbucket app, reviews every pull request automatically, and posts inline comments directly on the PR diff. No pipeline configuration is needed - the integration is entirely webhook-driven.

How to set up CodeRabbit with Bitbucket:

Go to coderabbit.ai and sign up using your Bitbucket account
Authorize CodeRabbit to access your Bitbucket workspace via OAuth
Select the repositories you want CodeRabbit to review
CodeRabbit installs webhooks automatically and begins reviewing PRs immediately

The entire setup takes under 5 minutes. There is no bitbucket-pipelines.yml configuration required because CodeRabbit operates through Bitbucket's webhook and API layer, not through your CI pipeline.

Configuration with .coderabbit.yaml:

You can customize CodeRabbit's behavior by adding a .coderabbit.yaml file to the root of your repository:

# .coderabbit.yaml
reviews:
  profile: "assertive"
  request_changes_workflow: true
  high_level_summary: true
  auto_title: true
  instructions:
    - "Flag any database query without parameterized inputs"
    - "Warn about functions longer than 50 lines"
    - "Check that all API endpoints validate input"
    - "Ensure error messages do not leak internal details"

CodeRabbit's natural language instruction system means you describe what you want in plain English rather than writing rule patterns. This makes configuration accessible to every developer on the team.

What it does well with Bitbucket:

Posts structured PR summaries (walkthrough) as the first comment on every PR
Leaves inline comments on specific diff lines with concrete fix suggestions
Supports interactive chat - reply to a CodeRabbit comment to ask follow-up questions or tell it to ignore a finding
Learns from your feedback over time, reducing noise on subsequent reviews
Works with Bitbucket's approval workflow - can be configured to request changes that block merge

Pricing: Free tier covers unlimited public and private repositories with full AI review. Pro plan at $24/user/month adds advanced features. Enterprise pricing available.

Bitbucket-specific limitations: CodeRabbit currently supports Bitbucket Cloud only. Bitbucket Data Center is not supported. If you are on Data Center, you will need to consider SonarQube, Codacy Self-Hosted, or a pipeline-based tool instead.

Bottom line: If you are on Bitbucket Cloud and want the best AI code review experience with zero pipeline configuration, CodeRabbit is the clear choice. The free tier is generous enough that most small teams will never need to upgrade.

2. SonarQube - Best for enterprise teams and Data Center

Integration method: Bitbucket Pipelines (Cloud) / Bitbucket Data Center plugin (self-hosted)

SonarQube provides the deepest rule-based analysis available for Bitbucket, with 6,500+ rules across 35+ languages. It is the strongest option for teams on Bitbucket Data Center thanks to its native plugin that posts PR decoration directly to the Data Center instance.

How to set up SonarQube with Bitbucket Cloud:

Create a SonarQube Cloud account at sonarcloud.io or set up a self-hosted SonarQube instance
Import your Bitbucket Cloud repository into SonarQube
Generate a SonarQube token and store it as a Bitbucket repository variable (SONAR_TOKEN)
Add the SonarScanner step to your bitbucket-pipelines.yml

Bitbucket Pipelines configuration:

image: maven:3.9-eclipse-temurin-17

definitions:
  steps:
    - step: &sonar-analysis
        name: SonarQube Analysis
        caches:
          - maven
          - sonar
        script:
          - mvn clean verify sonar:sonar
              -Dsonar.projectKey=$SONAR_PROJECT_KEY
              -Dsonar.host.url=$SONAR_HOST_URL
              -Dsonar.token=$SONAR_TOKEN
  caches:
    sonar: ~/.sonar/cache

pipelines:
  pull-requests:
    '**':
      - step: *sonar-analysis

  branches:
    main:
      - step: *sonar-analysis

For non-Java projects, replace the Maven SonarScanner with the CLI scanner:

image: sonarsource/sonar-scanner-cli:latest

pipelines:
  pull-requests:
    '**':
      - step:
          name: SonarQube Analysis
          script:
            - sonar-scanner
                -Dsonar.projectKey=$SONAR_PROJECT_KEY
                -Dsonar.sources=src
                -Dsonar.host.url=$SONAR_HOST_URL
                -Dsonar.token=$SONAR_TOKEN

How to set up SonarQube with Bitbucket Data Center:

Install the SonarQube plugin on your self-hosted SonarQube instance
Configure the Bitbucket Data Center integration in SonarQube under Administration > Configuration > ALM Integrations > Bitbucket
Provide your Bitbucket Data Center URL and a personal access token
Import your repositories into SonarQube and configure the CI scanner in your Jenkins or Bamboo pipeline

SonarQube posts PR decoration (inline comments and a summary status) directly to Bitbucket Data Center pull requests through its native integration. This is the primary reason SonarQube is the top choice for Data Center users.

What it does well with Bitbucket:

Quality gates that block merges when thresholds are violated
PR decoration with inline comments on new issues
Coverage, duplication, and complexity tracking over time
Compliance reporting mapped to OWASP, CWE, and PCI DSS
AI CodeFix suggestions for automated remediation
Native Data Center plugin for on-premises deployments

Pricing: SonarQube Community Build is free but lacks PR decoration. SonarQube Cloud starts at approximately $150/year (LOC-based). Self-hosted Developer Edition starts at approximately $2,500/year. Enterprise pricing starts at $20,000+/year.

Bottom line: SonarQube is the gold standard for teams that need quality gates, compliance reporting, and Data Center support. If you are in a regulated industry or on Bitbucket Data Center, SonarQube is likely your primary review tool.

3. Semgrep - Best for custom security scanning in pipelines

Integration method: Bitbucket Pipelines CLI step

Semgrep is a fast, lightweight security scanner that runs natively in Bitbucket Pipelines. It scans at a median of 10 seconds, which means it adds virtually no overhead to your pipeline execution time. The code-like rule syntax makes it easy to write custom rules that match your organization's specific security patterns.

How to set up Semgrep with Bitbucket Pipelines:

Sign up at semgrep.dev and create an organization
Generate a Semgrep API token
Store the token as a Bitbucket repository variable (SEMGREP_APP_TOKEN)
Add the Semgrep scan step to your bitbucket-pipelines.yml

Bitbucket Pipelines configuration:

image: atlassian/default-image:4

pipelines:
  pull-requests:
    '**':
      - step:
          name: Semgrep Security Scan
          image: semgrep/semgrep:latest
          script:
            - semgrep ci
          services:
            - docker

The semgrep ci command automatically detects the Bitbucket environment, runs the appropriate rules, and reports findings back to the Semgrep platform. If you have the SEMGREP_APP_TOKEN set, results are uploaded to the Semgrep dashboard where you can triage, dismiss false positives, and track trends.

Running Semgrep with custom rules:

pipelines:
  pull-requests:
    '**':
      - step:
          name: Semgrep Custom Rules
          image: semgrep/semgrep:latest
          script:
            - semgrep ci --config p/owasp-top-ten --config .semgrep/

This runs both the OWASP Top 10 rule pack and any custom rules you have defined in a .semgrep/ directory in your repository. Custom Semgrep rules use a YAML syntax that mirrors the source code you are scanning:

# .semgrep/no-raw-sql.yaml
rules:
  - id: no-raw-sql-queries
    patterns:
      - pattern: cursor.execute($QUERY, ...)
      - pattern-not: cursor.execute("...", ...)
    message: "Use parameterized queries instead of string formatting for SQL"
    severity: ERROR
    languages: [python]

What it does well with Bitbucket:

10-second median scan time keeps pipeline execution fast
20,000+ Pro rules covering OWASP Top 10 and common vulnerability patterns
Cross-file taint analysis (Pro engine) traces vulnerabilities across function boundaries
Semgrep Assistant (AI triage) reduces false positives by 20-40%
Diff-aware scanning only analyzes changed files on PRs
Works identically on Bitbucket Cloud and any external CI used with Data Center

Pricing: Free for up to 10 contributors with the full platform. Team plan at $35/contributor/month. Enterprise pricing is custom.

Bottom line: Semgrep is the best choice for teams that want fast, customizable security scanning in their Bitbucket Pipelines without slowing down builds. The free tier for 10 contributors is generous enough for most small security-conscious teams.

4. Codacy - Best all-in-one for Bitbucket teams

Integration method: Bitbucket Cloud app (Atlassian Marketplace) + optional Pipelines steps

Codacy provides a comprehensive code quality and security platform with native Bitbucket Cloud integration. It supports 49 languages out of the box, combines static analysis with coverage tracking and security scanning, and integrates directly with Bitbucket's PR workflow through the Atlassian Marketplace app.

How to set up Codacy with Bitbucket Cloud:

Go to your Bitbucket workspace settings and click Installed apps then Find new apps
Search for "Codacy" in the Atlassian Marketplace and install it
Sign in at app.codacy.com using your Bitbucket credentials
Add your repositories from the Codacy dashboard
Codacy installs webhooks automatically and starts analyzing PRs

Static analysis runs automatically on every push and PR through Codacy's cloud infrastructure. No pipeline configuration is required for the core analysis. However, if you want coverage reporting, you need to add a pipeline step to upload coverage data.

Bitbucket Pipelines configuration for coverage:

image: node:20-alpine

pipelines:
  pull-requests:
    '**':
      - step:
          name: Test with Coverage
          caches:
            - node
          script:
            - npm ci
            - npm test -- --coverage --coverageReporters=lcov
      - step:
          name: Upload Coverage to Codacy
          script:
            - apk add --no-cache curl bash
            - curl -Ls https://coverage.codacy.com/get.sh -o codacy-coverage-reporter.sh
            - bash codacy-coverage-reporter.sh report
                -r coverage/lcov.info
                --project-token $CODACY_PROJECT_TOKEN
                --commit-uuid $BITBUCKET_COMMIT

Store the CODACY_PROJECT_TOKEN as a secured repository variable in Bitbucket under Repository settings > Repository variables.

Quality gate enforcement via pipeline:

To make Codacy analysis a hard gate in your pipeline, you can query the Codacy API to check whether a commit passes your quality thresholds:

- step:
    name: Check Codacy Quality Gate
    script:
      - apt-get update && apt-get install -y curl jq
      - |
        for i in $(seq 1 30); do
          RESULT=$(curl -s -H "api-token: $CODACY_ACCOUNT_TOKEN" \
            "https://app.codacy.com/api/v3/analysis/organizations/gh/$ORG/repositories/$REPO/commits/$BITBUCKET_COMMIT/quality" \
            | jq -r '.isUpToStandards')
          if [ "$RESULT" = "true" ]; then
            echo "Quality gate passed"
            exit 0
          elif [ "$RESULT" = "false" ]; then
            echo "Quality gate failed"
            exit 1
          fi
          echo "Waiting for analysis... attempt $i"
          sleep 10
        done
        echo "Timed out waiting for Codacy analysis"
        exit 1

What it does well with Bitbucket:

Native Bitbucket Cloud app with zero-config PR analysis
Inline PR comments and summary status checks
49-language support - the broadest of any tool on this list
SAST, SCA, secrets detection, and DAST in one platform
Coverage tracking with quality gate enforcement
Codacy Self-Hosted available for Bitbucket Data Center (Enterprise plan)

Pricing: Free tier covers up to 5 repositories. Pro plan at $15/user/month. Business plan with self-hosted at approximately $37.50/user/month.

Bottom line: Codacy is the best single-platform option for Bitbucket teams that want code quality, security, and coverage in one tool at a reasonable price. The native Bitbucket app makes setup trivial, and the $15/user/month price is the most affordable paid option on this list.

5. DeepSource - Best for low-noise analysis

Integration method: Bitbucket Cloud app

DeepSource is built around signal quality. Its sub-5% false positive rate means developers actually read and act on findings rather than dismissing them reflexively. For Bitbucket teams that have been burned by noisy tools, DeepSource is the antidote.

How to set up DeepSource with Bitbucket:

Sign up at deepsource.com using your Bitbucket account
Authorize DeepSource to access your Bitbucket workspace
Activate the repositories you want to analyze
Add a .deepsource.toml configuration file to your repository root

Configuration with .deepsource.toml:

version = 1

[[analyzers]]
name = "python"
enabled = true

  [analyzers.meta]
  runtime_version = "3.x"
  max_line_length = 120

[[analyzers]]
name = "javascript"
enabled = true

  [analyzers.meta]
  environment = ["nodejs"]
  dialect = "typescript"

[[transformers]]
name = "black"
enabled = true

[[transformers]]
name = "prettier"
enabled = true

DeepSource uses this TOML file to determine which analyzers and code formatters to run. Once configured, analysis runs automatically on every push and pull request.

What it does well with Bitbucket:

Sub-5% false positive rate - the lowest of any tool tested
Five-dimension PR report card (Security, Reliability, Complexity, Hygiene, Coverage)
Autofix AI generates context-aware fixes for detected issues
5,000+ analysis rules across supported languages
Committer-based billing - only pay for developers who push code, not reviewers
Clean PR comments that developers actually read

Pricing: Free for individual developers. Team plan at $24/user/month. Enterprise pricing is custom.

Bitbucket-specific limitations: DeepSource supports Bitbucket Cloud only. No Data Center support. Language coverage (16 languages at GA) is narrower than Codacy or SonarQube. Some languages like C/C++ and Kotlin remain in beta.

Bottom line: If your team has started ignoring automated review comments because of noise, DeepSource is specifically designed to solve that problem. The signal quality is excellent, and the Bitbucket integration works smoothly for Cloud users.

6. Snyk Code - Best for security-first Bitbucket teams

Integration method: Bitbucket Cloud app + optional Pipelines steps

Snyk Code is the SAST component of the Snyk platform - a Gartner Magic Quadrant Leader for Application Security Testing. Its DeepCode AI engine performs interfile dataflow analysis that traces vulnerability paths across multiple function calls and files, catching issues that simpler scanners miss entirely.

How to set up Snyk Code with Bitbucket Cloud:

Sign up at snyk.io and create an organization
Go to Integrations > Bitbucket Cloud in the Snyk dashboard
Authorize Snyk to access your Bitbucket workspace
Import the repositories you want to scan
Enable Snyk Code (SAST) under your organization settings

Optional Bitbucket Pipelines step for CLI scanning:

image: node:20

pipelines:
  pull-requests:
    '**':
      - step:
          name: Snyk Code Security Scan
          script:
            - npm install -g snyk
            - snyk auth $SNYK_TOKEN
            - snyk code test --severity-threshold=high

The native app integration handles most use cases without pipeline configuration. The pipeline step is useful if you want to fail builds based on severity thresholds or if you need more control over scan behavior.

What it does well with Bitbucket:

DeepCode AI engine with interfile taint analysis across function boundaries
AI-powered auto-fix suggestions trained on human-curated fix patterns
Five security domains in one platform (SAST, SCA, container, IaC, cloud security)
Reachability analysis filters SCA noise by identifying exploitable code paths
IDE integration (VS Code, JetBrains) for catching issues before they reach a PR
PR checks that block merges when critical vulnerabilities are found

Pricing: Free tier supports 1 user with limited scans. Team plan starts at $25/dev/month. Enterprise pricing varies.

Bitbucket-specific limitations: Snyk Code supports Bitbucket Cloud. Data Center support is available through Snyk's Bitbucket Server integration (requires Snyk Enterprise plan). SAST language support (19+ languages) is narrower than SonarQube's 35+. Snyk is a security tool, not a code quality tool - it does not detect code smells, track complexity, or enforce style rules.

Bottom line: For Bitbucket teams where security scanning is the primary concern, Snyk Code provides the deepest vulnerability analysis available. Pair it with a quality-focused tool like Codacy or SonarQube for comprehensive coverage.

7. CodeAnt AI - Best all-in-one AI review and security

Integration method: Bitbucket Cloud app

CodeAnt AI is a Y Combinator-backed platform that bundles AI-powered PR reviews, SAST security scanning, secret detection, IaC security, and DORA metrics into a single tool. It supports all four major Git platforms including Bitbucket, which is uncommon in the AI code review space.

How to set up CodeAnt AI with Bitbucket:

Sign up at codeant.ai using your Bitbucket account
Authorize the CodeAnt AI app to access your Bitbucket workspace
Select the repositories you want to activate
CodeAnt AI begins reviewing PRs automatically via webhooks

Like CodeRabbit, CodeAnt AI installs as a Bitbucket Cloud app and requires no pipeline configuration for its core review and scanning features. The integration is webhook-driven and analysis runs on CodeAnt AI's cloud infrastructure.

What it does well with Bitbucket:

AI-powered line-by-line PR feedback with one-click auto-fix suggestions
Built-in SAST covering OWASP Top 10 vulnerabilities
Secret detection catches committed API keys and tokens
IaC scanning for Terraform, CloudFormation, and Kubernetes manifests
DORA metrics tracking (deployment frequency, lead time, MTTR, change failure rate)
PR summaries that explain changes in plain language
Supports 30+ languages

Pricing: Basic plan at $24/user/month covers AI code review. Premium plan at $40/user/month adds SAST, secrets, IaC security, and DORA metrics. Enterprise pricing available.

Bitbucket-specific limitations: Supports Bitbucket Cloud. Data Center support details should be confirmed with the CodeAnt AI team. As a newer platform, the Bitbucket-specific documentation is still maturing compared to more established tools.

Bottom line: CodeAnt AI is the best choice for Bitbucket teams that want AI review, security scanning, and engineering metrics in one platform without stitching together multiple vendors. The $24-40/user/month pricing delivers strong value for the breadth of capabilities.

8. PR-Agent (Qodo Merge) - Best self-hosted AI review for Bitbucket

Integration method: Bitbucket Pipelines (self-hosted) or Qodo Merge app (hosted)

PR-Agent is an open-source AI code review tool by Qodo that can be self-hosted on your own infrastructure. This makes it the best option for Bitbucket teams with strict data sovereignty requirements who cannot send code to third-party services. The hosted version, branded as Qodo Merge, provides the same functionality without self-hosting overhead.

How to set up PR-Agent with Bitbucket Pipelines (self-hosted):

Generate an API key from your LLM provider (OpenAI, Anthropic, or Azure OpenAI)
Store the API key as a Bitbucket repository variable (OPENAI_API_KEY)
Add the PR-Agent step to your bitbucket-pipelines.yml

Bitbucket Pipelines configuration:

image: python:3.12-slim

pipelines:
  pull-requests:
    '**':
      - step:
          name: PR-Agent Review
          script:
            - pip install pr-agent
            - pr-agent --pr_url="https://bitbucket.org/$BITBUCKET_WORKSPACE/$BITBUCKET_REPO_SLUG/pull-requests/$BITBUCKET_PR_ID" review
            - pr-agent --pr_url="https://bitbucket.org/$BITBUCKET_WORKSPACE/$BITBUCKET_REPO_SLUG/pull-requests/$BITBUCKET_PR_ID" improve
            - pr-agent --pr_url="https://bitbucket.org/$BITBUCKET_WORKSPACE/$BITBUCKET_REPO_SLUG/pull-requests/$BITBUCKET_PR_ID" describe

Alternatively, run PR-Agent as a Docker container:

pipelines:
  pull-requests:
    '**':
      - step:
          name: PR-Agent Review
          image: codiumai/pr-agent:latest
          script:
            - pr-agent --pr_url="https://bitbucket.org/$BITBUCKET_WORKSPACE/$BITBUCKET_REPO_SLUG/pull-requests/$BITBUCKET_PR_ID" review
          services:
            - docker

Modular commands:

PR-Agent provides several commands you can run independently or together:

/review - Performs a code review with inline comments
/improve - Suggests code improvements with concrete diffs
/describe - Generates a structured PR description with change type labels
/ask - Answer questions about the PR changes

What it does well with Bitbucket:

Full source code available - self-host with your own LLM API keys
Code never leaves your infrastructure (self-hosted mode)
Modular command system for selective analysis
Customizable through prompt engineering and configuration files
Works with any LLM provider (OpenAI, Anthropic, Azure, local models)
Supports Bitbucket Cloud natively via Pipelines

Pricing: Self-hosted is free (you pay for LLM API usage). Hosted (Qodo Merge) at $19/seat/month. Enterprise pricing is custom.

Bitbucket-specific limitations: The self-hosted version requires maintaining infrastructure and managing LLM API costs. LLM API costs can be unpredictable depending on PR volume and diff sizes. Review quality depends entirely on the underlying LLM you configure. The Bitbucket integration requires pipeline-based execution, which means reviews only run when the pipeline triggers (not instantly on PR creation like CodeRabbit or Codacy).

Bottom line: PR-Agent is the right choice for Bitbucket teams that need AI code review but cannot send code to third-party cloud services. The self-hosted deployment keeps everything on your infrastructure, and the open-source license means no vendor lock-in.

Comparison table: all 8 tools at a glance

Tool	Category	Bitbucket Cloud	Bitbucket Data Center	Integration Method	Free Tier	Starting Price	Best For
CodeRabbit	AI PR review	Yes	No	Marketplace app	Yes (unlimited)	$24/user/mo	Overall AI review
SonarQube	Static analysis	Yes	Yes (plugin)	Pipelines + plugin	Yes (Community)	~$150/yr (LOC)	Enterprise + Data Center
Semgrep	Security scanning	Yes	Via external CI	Pipelines CLI	Yes (10 devs)	$35/contributor/mo	Custom security rules
Codacy	Code quality	Yes	Yes (Self-Hosted)	Marketplace app	Yes (5 repos)	$15/user/mo	All-in-one, best value
DeepSource	Code quality + AI	Yes	No	Cloud app	Yes (individual)	$24/user/mo	Low false positives
Snyk Code	Security SAST	Yes	Yes (Enterprise)	Cloud app + Pipelines	Yes (1 user)	$25/dev/mo	Security-first teams
CodeAnt AI	AI review + security	Yes	Contact vendor	Cloud app	No	$24/user/mo	AI review + SAST bundle
PR-Agent	AI PR review (OSS)	Yes	Via external CI	Pipelines CLI	Yes (self-hosted)	$19/seat/mo (hosted)	Self-hosted AI review

Pricing comparison for Bitbucket teams

Tool	5 devs/month	20 devs/month	50 devs/month	Billing Model
CodeRabbit	$120	$480	$1,200	Per seat
SonarQube Cloud	~$65	~$260	~$650	LOC-based
Semgrep	$175	$700	$1,750	Per contributor
Codacy	$75	$300	$750	Per seat
DeepSource	$120	$480	$1,200	Per committer
Snyk Code	$125	$500	$1,250+	Per dev
CodeAnt AI (Basic)	$120	$480	$1,200	Per user
PR-Agent (hosted)	$95	$380	$950	Per seat
PR-Agent (self-hosted)	$0 + LLM API	$0 + LLM API	$0 + LLM API	LLM usage

Note: SonarQube's pricing is LOC-based rather than per-seat, so costs scale with codebase size. The figures above are estimates for typical repository sizes. PR-Agent self-hosted costs depend on your LLM API usage, which can range from $50-500/month depending on PR volume.

Setting up a complete Bitbucket review pipeline

Most teams benefit from combining two or three tools rather than relying on a single one. Here is a complete bitbucket-pipelines.yml that demonstrates a production-ready review pipeline combining AI review, security scanning, quality analysis, and coverage tracking.

Full pipeline example

image: node:20

definitions:
  steps:
    - step: &install-and-test
        name: Install and Test
        caches:
          - node
        script:
          - npm ci
          - npm test -- --coverage --coverageReporters=lcov
        artifacts:
          - coverage/**

    - step: &semgrep-scan
        name: Semgrep Security Scan
        image: semgrep/semgrep:latest
        script:
          - semgrep ci

    - step: &codacy-coverage
        name: Upload Coverage to Codacy
        script:
          - apt-get update && apt-get install -y curl
          - curl -Ls https://coverage.codacy.com/get.sh -o codacy-coverage-reporter.sh
          - bash codacy-coverage-reporter.sh report
              -r coverage/lcov.info
              --project-token $CODACY_PROJECT_TOKEN
              --commit-uuid $BITBUCKET_COMMIT

    - step: &snyk-scan
        name: Snyk Security Test
        script:
          - npm install -g snyk
          - snyk auth $SNYK_TOKEN
          - snyk code test --severity-threshold=high
          - snyk test --severity-threshold=high

pipelines:
  pull-requests:
    '**':
      - step: *install-and-test
      - parallel:
          - step: *semgrep-scan
          - step: *codacy-coverage
          - step: *snyk-scan

  branches:
    main:
      - step: *install-and-test
      - parallel:
          - step: *semgrep-scan
          - step: *codacy-coverage

What this pipeline does

Install and Test - Runs your test suite with coverage generation. The coverage artifacts are passed to subsequent steps.
Semgrep Security Scan - Runs SAST scanning with Semgrep's rule packs in parallel. Fast enough (under 30 seconds for most projects) that it does not meaningfully increase pipeline time.
Upload Coverage to Codacy - Sends coverage data to Codacy for tracking and quality gate evaluation. Codacy's static analysis runs separately via webhooks, not in the pipeline.
Snyk Security Test - Runs both SAST (snyk code test) and SCA (snyk test) to check for vulnerabilities in your code and dependencies.

In this setup, CodeRabbit and Codacy's static analysis run outside the pipeline through their Bitbucket app integrations, triggered by webhooks. The pipeline handles only the tasks that require build context: running tests, generating coverage, and running CLI-based security scanners.

Required repository variables

For this pipeline to work, set these repository variables in Bitbucket under Repository settings > Repository variables:

Variable	Tool	Secured
`SEMGREP_APP_TOKEN`	Semgrep	Yes
`CODACY_PROJECT_TOKEN`	Codacy	Yes
`SNYK_TOKEN`	Snyk	Yes

Enforcing review gates before merge

To make these checks mandatory, configure branch restrictions in Bitbucket:

Go to Repository settings > Branch restrictions
Add a restriction for your main branch
Enable Require passing builds before merging
Optionally set Minimum number of approvals to require human review alongside automated checks

With this configuration, a PR cannot be merged until all pipeline steps pass (Semgrep, Snyk, coverage upload) and the webhook-based checks (Codacy analysis, CodeRabbit review) report a successful status.

Decision framework: which tools should you choose?

The right combination depends on your team size, security requirements, and whether you are on Bitbucket Cloud or Data Center.

Bitbucket Cloud teams (under 10 developers)

Recommended: CodeRabbit (free) + Semgrep (free for 10 contributors)

This combination gives you AI-powered code review on every PR plus security scanning with zero cost. CodeRabbit handles the review feedback and suggestions, while Semgrep catches security vulnerabilities in your pipeline. Both have generous free tiers that cover small teams completely.

If you also need code quality tracking and coverage metrics, add Codacy's free tier (up to 5 repositories).

Bitbucket Cloud teams (10-50 developers)

Recommended: CodeRabbit ($24/user/mo) + Codacy ($15/user/mo)

CodeRabbit provides AI-powered review while Codacy handles quality gates, coverage tracking, and security scanning across 49 languages. The combined cost of $39/user/month gives you comprehensive coverage that would require three or four separate tools otherwise.

For teams with elevated security requirements, add Snyk Code ($25/dev/month) for deeper SAST analysis with interfile taint tracking.

Bitbucket Data Center teams

Recommended: SonarQube (self-hosted) + Semgrep (via Jenkins/Bamboo)

SonarQube is the only tool on this list with a native Bitbucket Data Center plugin for PR decoration. Its quality gates and compliance reporting make it essential for enterprise teams. Add Semgrep for fast security scanning in your CI pipeline - it works identically in Jenkins, Bamboo, or any other CI system.

If your Data Center team needs AI-powered review, deploy PR-Agent self-hosted and configure it to run in your CI pipeline with your own LLM API keys. This keeps all code on your infrastructure.

Budget-constrained teams

Recommended: PR-Agent self-hosted (free) + SonarQube Community Build (free) + Semgrep (free for 10 contributors)

This combination costs nothing for tool licenses. PR-Agent provides AI review (you pay only for LLM API usage), SonarQube Community Build provides quality analysis (without PR decoration), and Semgrep handles security scanning. The main tradeoff is the lack of PR decoration from SonarQube's free tier, which means developers need to check the SonarQube dashboard rather than seeing results inline on PRs.

Security-first teams

Recommended: Snyk Code ($25/dev/mo) + Semgrep ($35/contributor/mo) + CodeRabbit (free)

Snyk Code provides the deepest vulnerability analysis with interfile taint tracking. Semgrep adds custom rule capabilities and fast pipeline scanning. CodeRabbit's free tier handles general code review. This combination covers security scanning, custom security rules, and AI-powered review feedback.

Best practices for Bitbucket code review

1. Use both app-based and pipeline-based tools

App-based tools (CodeRabbit, Codacy, DeepSource) provide instant feedback via webhooks the moment a PR is opened. Pipeline-based tools (Semgrep, SonarQube, Snyk) run as part of your build and can access build context like coverage data and compiled artifacts. Use both types for comprehensive coverage.

2. Keep pipeline scan times under 5 minutes

Developers stop paying attention to automated feedback when it takes 15 minutes to arrive. Configure your security scanners to run diff-aware scans on PRs (scan only changed files) rather than full-repository scans. Semgrep's diff-aware mode and Snyk's PR-level scanning both support this out of the box.

3. Set quality gates that start lenient and tighten over time

Do not start with zero-tolerance quality gates on day one. Begin with thresholds that your existing code already passes, then ratchet them tighter over sprints. For example, start by requiring zero new critical security findings and no coverage decrease. Once the team is comfortable, add thresholds for complexity and duplication.

4. Store all tokens as secured repository variables

Every tool in this guide requires an API token. Store these as secured repository variables in Bitbucket under Repository settings > Repository variables. Secured variables are masked in pipeline logs and cannot be read by forks, preventing accidental credential exposure.

5. Use parallel pipeline steps to reduce total build time

Bitbucket Pipelines supports parallel step execution. Run independent tools (Semgrep, Snyk, coverage upload) in parallel rather than sequentially. This reduces your total pipeline time to the duration of the slowest tool rather than the sum of all tools.

pipelines:
  pull-requests:
    '**':
      - step:
          name: Build and Test
          script:
            - npm ci && npm test -- --coverage
          artifacts:
            - coverage/**
      - parallel:
          - step:
              name: Semgrep
              image: semgrep/semgrep:latest
              script:
                - semgrep ci
          - step:
              name: Snyk
              script:
                - npx snyk code test
          - step:
              name: Coverage Upload
              script:
                - curl -Ls https://coverage.codacy.com/get.sh | bash -s report -r coverage/lcov.info

6. Configure default reviewers alongside automated tools

Automated tools catch mechanical issues - null safety, security vulnerabilities, style violations. Human reviewers catch architectural concerns, business logic errors, and design problems. Configure Bitbucket's default reviewers to ensure every PR gets human eyes in addition to automated analysis. The best workflow is to let automated tools handle the first pass so human reviewers can focus on higher-level concerns.

7. Use merge checks to enforce review completion

Configure Bitbucket's branch restrictions to require both passing pipeline builds and minimum reviewer approvals before a PR can be merged. This ensures that neither automated checks nor human review can be bypassed, creating a complete quality gate at the merge point.

8. Review tool noise regularly and tune configurations

Set a monthly calendar reminder to review the comments your automated tools are generating. If developers are consistently dismissing comments from a specific tool or rule, that is a signal to tune the configuration. Disable noisy rules, adjust severity thresholds, and add tool-specific ignore patterns for known false positives. A tool that generates 100 comments per PR is worse than one that generates 5 high-signal ones.

Final verdict

For most Bitbucket Cloud teams, the combination of CodeRabbit (AI review) and Codacy (quality gates and coverage) provides the best starting point. Both install as Bitbucket apps in under 5 minutes, both have free or affordable tiers, and together they cover the full spectrum from AI-powered feedback to deterministic quality enforcement.

For Bitbucket Data Center teams, SonarQube is the non-negotiable foundation. It is the only tool with deep Data Center integration, and its quality gates and compliance reporting are essential for enterprise workflows. Add Semgrep for fast security scanning in your CI pipeline and PR-Agent (self-hosted) if you want AI review without sending code to external services.

The tools are not the bottleneck. The bottleneck is getting your team to act on the feedback. Start with one or two tools, configure them to produce only high-confidence findings, and expand coverage once your team trusts the automation. A tool that developers actually read is worth infinitely more than a comprehensive scanner that everyone ignores.

Frequently Asked Questions

What is the best code review tool for Bitbucket?

CodeRabbit provides the most comprehensive AI code review for Bitbucket Cloud with native PR integration. For teams on Bitbucket Data Center, SonarQube offers the deepest integration through its Bitbucket plugin. Codacy is another strong option with direct Bitbucket integration for both Cloud and Data Center.

Does Bitbucket have built-in code review?

Yes. Bitbucket provides pull request reviews with inline comments, approval workflows, merge checks, default reviewers, and task tracking within PRs. Bitbucket Cloud also supports merge strategies (merge commit, squash, fast-forward) and branch permissions.

How do I automate code review in Bitbucket Pipelines?

Add review tools to your bitbucket-pipelines.yml file. For example, add a Semgrep scan step that runs on pull requests. Tools like CodeRabbit integrate as a Bitbucket app without pipeline configuration, while SonarQube and Semgrep run as pipeline steps.

What is the difference between Bitbucket Cloud, Server, and Data Center?

Bitbucket Cloud is Atlassian's hosted SaaS offering. Bitbucket Server was the self-hosted version (end-of-life February 2024). Bitbucket Data Center is the current self-hosted option for enterprises requiring on-premises deployment. Tool compatibility varies — some only support Cloud, others support Data Center as well.

Originally published at aicodereview.cc