Check out what’s new for ScriptRunner for BitBucket Server.


Audit Logging Enhancements

This release includes enhancements to audit logging for users who are running Bitbucket 7.

The most notable change is that audit entries now show individual changed/created configuration parameters, in the past the audit entry only contained a JSON representation of the changed/created parameters, which was difficult to read.

In addition to the above, audit entries from ScriptRunner are now in their own audit category, this means you can filter the audit entries to only show entries generated from ScriptRunner.

bitbucket audit log

New Features

  • SRBITB-861 - Added support for new auditing API.

Bug Fixes

  • SRPLAT-1221 - Bitbucket/Confluence/Jira is no longer prevented from correctly shutting down when ScriptRunner is installed.


Bug Fixes

  • SRPLAT-1319 - Custom scripts returning String from getHelpUrl() did not work.

  • SRPLAT-1313 - Script configurations can now be saved with a blank inline script.

  • SRBITB-863 - A NoClassDefFoundError occured when iterating rawCommits in script binding.


Ceasing Development on Bitbucket 5

We are no longer developing new features for ScriptRunner versions running on Bitbucket 5. See our Bitbucket 5 Development statement for more information.

Bug Fixes

  • SRBITB-853 - Calls to mergeRequest#veto in merge check conditions were ignored.

  • SRBITB-852 - The Console and Script Editor left menu items were visible even when a user lacked script edit permissions.

  • SRBITB-850 - The Listeners link in the Getting Started page redirected to an old URL.

  • SRBITB-774 - To avoid missing information, use /users/:username/repos endpoint for GitHub mirroring.

  • SRBITB-841 - Changeset#getChanges is now allowed in repo-level scripts.

  • SRBITB-858 - The configured triggers for pre-hooks were not checked, which caused some pre-hooks to execute when they should not have.


Repository Administrator Sandbox Escape Vulnerability

SRBITB-854 - A security vulnerability for escaping the repository administrator code sandbox has been fixed.

The vulnerability allowed a malicious repository administrator to run arbitrary code inside the instance.

This security vulnerability has been fixed in ScriptRunner for Bitbucket 6.5.2 (for Bitbucket Server 5.13+) and 6.9.2 (for Bitbucket Server 6+); it is recommended all customers upgrade to 6.5.2+ where possible.

Bug Fixes

  • SRBITB-853 - Calls to mergeRequest#veto in merge check conditions were ignored.


Bug Fixes

  • SRBITB-836 - The compilation of the Clone Repository Configuration built-in script significantly slowed down loading scripts.


Retiring Support for Internet Explorer

From Feburary 1st 2021 ScriptRunner will no longer support Internet Explorer. See our full statement for more information.

Browse Page

Use the Browse Page to search and discover ScriptRunner functionality.

Find scripts with ease by typing keywords into the search bar, or by filtering by category.

browse page

See more information in the documentation.

Script Renaming

As part of the Browse Page work above, some scripts have been renamed so that their names are clearer and more closely align with their functionality.

See below for all changes to script names:

Old script name New script name

Auto Configure Delete Branch Checkbox

Check Delete Branch Checkbox

Clone a repository

Clone repository configuration

Configure mirrored repositories

View and configure mirrored repositories

Custom event handler

Custom Listener

Custom script hook (pre-hook)

Custom pre-hook

Custom scripted post hook

Custom post-hook

Deactivate users

Run or schedule user deactivation

Max repository size notification

Run or schedule repository size limit email

Mirror Bitbucket Cloud User Or Team

Mirror Bitbucket Cloud repositories

Mirror Bitbucket Server User Or Project

Mirror Bitbucket Server repositories

Mirror GitHub Organisation

Mirror GitHub repositories

Mirror a GitLab user or group

Mirror GitLab repositories

Naming standard enforcement (listener)

Project and repository naming standards enforcement

Naming standard enforcement (pre-hook)

Branch and tag naming standards enforcement

Pull request policy advice

Respond to pushes if pull request is outdated or conflicted

Remote custom event handler dispatcher

Remote custom listener dispatcher

Require a number of approvers

Require a minimum number of approvers

Require pull request to be associated with a valid Jira issue

Require that a pull request is associated with a valid Jira issue

Send mail (job)

Run or schedule custom email

Send mail (listener)

Send custom email on event

Send mail (post-hook)

Send a mail in response to a commit push

Bug Fixes

  • SRBITB-827 - The Include Ref Prefix toggle was missing from the Naming Standard Enforcement Hook.


Asynchronous Post-Hooks

In prior versions of ScriptRunner, all post-hooks executed synchronously. This meant that some post-hook triggers, such as those for UI interaction, would not trigger ScriptRunner post-hooks. Synchronous execution can also have a performance impact to end-users because it caused pushes to be blocked until all post-hooks had completed execution.

This release adds support for asynchronous execution in custom scripted post-hooks. This is an opt-in setting because there are some differences in what is possible when executing asynchronously. For example, it is not possible to write messages to the Git Client on push when executing asynchronously.

For more information, see the asynchronous post-hooks documentation.

Admin Only Project and Repository Script Access

By default, repository and project administrators have the ability to configure/execute ScriptRunner scripts (although in a sandboxed environment, for security reasons).

Restricting access in ScriptRunner may be desirable in a highly regulated environment where a customer only wants global administrators to be able to configure hooks/listeners etc.

This release adds a toggle in the Settings tab to restrict ScriptRunner access at the repository/project level to global administrators only. Optionally, groups of users can be granted access, if desired.

System Admin Only Script Edit Permission

By default, global administrators have full access to ScriptRunner functionality, including writing custom code within scripts and executing code in the Script Console.

You may want to restrict the ability to configure/execute custom code to system administrators only.

This release adds a toggle to the Settings tab to enable script edit permission for system administrators only. When this toggle is enabled, only system administrators are able to configure scripts that allow custom code. Access to Script Console/Script Editor for non-system administrators is also prevented.

Ability to Disable Switch User Built-in Script

The Switch User built-in script allows administrator users to temporarily assume the identity of another user.

This script is enabled by default. However, if you have extremely strong compliance requirements, you may wish to disable this feature.

This release adds a toggle to the Settings tab to disable the Switch User built-in script. When the script is disabled, it is not accessible for any user (including system administrators).

For more information, see the Disable Switch User Built-in Script documentation.

Bug Fixes

  • SRPLAT-1227 - Some documentation links were missing from scripts.

  • SRBITB-814 - SendCustomEmailListener broke after selecting an event for the repository admin.

  • SRBITB-767 - The compile context for scripted merge checks did not match the runtime execution bindings.


Repository Administrator Sandbox Escape Vulnerability

  • SRBITB-854 - A security vulnerability for escaping the repository administrator code sandbox has been fixed.

The vulnerability allowed a malicious repository administrator to run arbitrary code inside the instance.

This security vulnerability has been fixed in ScriptRunner for Bitbucket 6.5.2 (for Bitbucket Server 5.13+) and 6.9.2 (for Bitbucket Server 6+); it is recommended all customers upgrade to 6.5.2+ where possible.


Remote Code Execution Vulnerability

  • SRBITB-816 - A security vulnerabilty for Remote Code Execution has been fixed.

The vulnerability allowed a malicious authenticated user to run arbitrary code inside the instance without administrative permissions.

This security vulnerability has been fixed in ScriptRunner for Bitbucket 6.5.1 / 6.5.1-p5; it is recommended all customers upgrade to 6.5.1+ where possible.


Bug Fixes

  • SRPLAT-1213 - Test on Borrow should be the default for LDAP connections.


Bug Fixes

  • SRPLAT-11 - An invalid user-configured raw XML script fragment could have prevented the ScriptRunner plugin from enabling.

  • SRBITB-781] - The Add Tasks to New Pull Request built-in event handler configuration did not deserialise properly.


Bug Fixes

  • SRPLAT-1171 - The Confluence-specific scriptMacroMetadataProvider module no longer shows up in UPM for all ScriptRunner products.

  • SRBITB-770 - The upgrade tasks and subsequent startup tasks failed to run on JDK11.

  • SRBITB-747 - The auto-configure Delete Branch checkbox was broken on Bitbucket 7.3.

  • SRBITB-768 - The existing Require a Valid Jira Issue pre-hook configurations now respond to file edit triggers.


Bug Fixes


New Features

  • SRBITB-717 - The Valid Jira Issue hook now responds to file-edit triggers.

Bug Fixes

  • SRPLAT-1139 - Compilation failures in one script caused entire features to fail.

  • SRPLAT-1131 - You now have the ability to set all Hikari pool configuration parameters when using database connections.

  • SRPLAT-1094 - Autocompletion requests failed when requesting autocomplete after typing "Check."

  • SRBITB-741 - Mandatory reviewers were not being shown with the padlock picture.

  • SRBITB-729 - The Clone Repo script produced excessive project search requests when trying to generate its parameters.


Bug Fixes

  • SRPLAT-1119 - Classes in scriptrunner-API/SPI were no longer consumable by dependent plugins.


Groovy Upgrade

The version of Groovy used by ScriptRunner has been upgraded from 2.4.15 to 2.5.11. Improvements and new features (like additional AST transformations, or the new tap() method) shipped in Groovy 2.5 are now available to ScriptRunner users. See the Groovy 2.5 Release Notes for more information.

As with any dependency upgrade, breaking changes could potentially affect users' scripts. However, the breaking changes between Groovy 2.4 and 2.5 are relatively minor. The low-level nature of most of these breaking changes means they are unlikely to impact many ScriptRunner scripts if any.

Take a look at the list of breaking changes in the Groovy 2.5 Release Notes for further details.

IntelliJ Removal

This version removes all support for the IntelliJ IDEA plugin. See our previous deprecation announcement for our rationale and plans for the future.

Deprecated Event Handler Removal

The previously deprecated Naming Standard Enforcement event handler has been removed along with its configuration in this release.

If you were previously using this event handler, you should migrate to the pre-receive hook of the same name. This hook blocks UI interactions in the same way that the event handler did.

Execution History

Use Execution History to view up to two years of execution times and failure rates of ScriptRunner scripts in your instance, allowing a long-term view of script performance.

Using the extended history, observe if a script is getting slower over time, or if slow performance correlates with specific events (such as Bitbucket or app upgrades). Execution History provides long-term analytics allowing you to develop scripts and change execution timings, to keep your instance performing at an optimal level.

Previously, viewable executions included event handlers and scheduled jobs.

Viewable executions now include pre-hooks, post-hooks, event handlers, and merge checks.

See Execution History documentation here.

Bug Fixes

  • SRPLAT-1092 - There is now DocLink support for absolute URLs.

  • SRPLAT-1084 - The autocompletion window of the Script Console now closes correctly.

  • SRBITB-718 - Jira query validation prevented the issue keys hook from working if the invoking user lacked permissions.

  • SRBITB-684 - Require Valid Jira Issue merge check/pre-hook was updated to check Jira issue keys case insensitively.

  • SRBITB-724 - Execution history was added for repository-level pre-hooks, post-hooks, merge checks, and event listeners.

  • SRBITB-691 - The BranchAndTagNamingRuleEnforcer event handler was removed.

  • SRBITB-635 - Execution history was added for administration-level pre-hooks, post-hooks, merge checks, and event listeners.

  • SRBITB-633 - Auditing of built-in script execution was added.

  • SRBITB-731 - You are now allowed to configure event handlers to respond to any implementation of RepositoryRefsChangedEvent.

Have questions? Visit the Atlassian Community to connect, share, and learn with other Atlassian users and experts, including Adaptavist staff.

Ask a question about ScriptRunner for JIRA, Bitbucket Server, or Confluence.

Want to learn more? Check out courses on Adaptavist Learn, an online platform to onboard and train new users for Atlassian solutions.