Bitbucket Server AI Code Review
Setup Guide for Enterprise Teams

Use BYOK for Cost Control and Privacy

Bring Your Own Key (BYOK) means using your own API keys from Anthropic, Google, or OpenAI. Benefits:

• Privacy: Code goes directly to your AI provider, not stored by Git AutoReview
• Cost control: Pay only for actual usage (typical cost: $0.50-$2.00 per review)
• No vendor lock-in: Switch AI providers anytime without changing tools
• Compliance: Easier to meet SOC 2, ISO 27001, GDPR requirements

Choose the Right AI Model

Different models excel at different tasks:

• Claude (Anthropic): Best for complex codebases and architectural reviews. Excellent at understanding context. Slightly slower but higher quality.
• Gemini (Google AI): Good balance of speed and quality. Strong on newer frameworks and libraries.
• GPT (OpenAI): Fast and broad language support. Good for quick feedback loops.

Pro tip: Run multiple models in parallel and compare results. Git AutoReview shows side-by-side comparisons so you can approve the best suggestions from each model.

Configure Review Scope

Tailor what AI reviews:

• File types: Include/exclude by extension (.js, .py, .java, etc.)
• Directories: Skip test files, generated code, vendor dependencies
• PR size limits: Skip very large PRs (1000+ line changes) to save costs
• Review focus: Prioritize security, bugs, performance, or style

Set Up Team Conventions

Establish team-wide standards for using AI review:

• When to use AI review (all PRs vs critical PRs only)
• Who reviews AI suggestions (PR author vs dedicated reviewer)
• How to handle disagreements with AI (always human decision wins)
• What feedback is "noise" vs valuable (calibrate over time)

Data Privacy with BYOK

With BYOK (Bring Your Own Key), your code is sent directly to your AI provider:

• Anthropic (Claude): Enterprise privacy policy, no training on customer data
• Google AI (Gemini): Google Cloud privacy terms apply
• OpenAI (GPT): Enterprise agreement available, opt-out of training

Git AutoReview does not store, log, or train on your code. It passes code directly from VS Code to your AI provider and back.

Firewall and Network Requirements

For Bitbucket Server/Data Center deployments, whitelist these outbound HTTPS endpoints:

No inbound connections required. Git AutoReview only makes outbound calls. Your Bitbucket instance doesn't need to be publicly accessible.

Compliance Framework Support

Git AutoReview supports common enterprise compliance requirements:

• SOC 2 Type II: With BYOK, data flows to SOC 2-certified AI providers (Anthropic, Google, OpenAI). Human-in-the-loop prevents automated changes.
• ISO 27001: BYOK ensures code processing happens at certified providers. No code storage reduces information security risk.
• GDPR: Code review doesn't typically involve personal data. If it does (e.g., customer names in test data), ensure your AI provider has GDPR-compliant DPA.
• HIPAA: For healthcare teams, use Anthropic or Google AI with BAA (Business Associate Agreement). Avoid OpenAI for PHI unless covered by enterprise agreement.

Access Control Best Practices

• Use Personal Access Tokens with minimal required permissions (REPO_READ, REPO_WRITE)
• Rotate tokens quarterly or when team members leave
• Store tokens securely (VS Code secure storage, not in source control)
• Audit who has Git AutoReview access (matches Bitbucket repository access)

Pre-Deployment

• Verify Bitbucket platform (Server, Data Center, or Cloud)
• Check security/compliance approval for AI code review
• Choose AI provider (Anthropic, Google, or OpenAI)
• Obtain API keys or budget for included credits
• Whitelist AI provider endpoints in firewall (Server/DC only)

Initial Setup

• Install Git AutoReview VS Code extension on pilot team's machines
• Configure Bitbucket connection (Server URL or Cloud OAuth)
• Generate and securely store Personal Access Tokens (Server/DC)
• Add AI API keys or configure included credits
• Test connection on a sample pull request

Pilot Phase

• Run AI reviews on 10-20 PRs to calibrate quality
• Collect feedback from pilot team on AI suggestions
• Adjust review scope (file types, directories to include/exclude)
• Document team conventions for AI review usage
• Measure time savings and bug catch rate

Full Rollout

• Train entire engineering team on Git AutoReview workflow
• Set up team subscription (Team or Enterprise plan)
• Roll out to all repositories or selected high-priority repos
• Monitor usage and feedback in first 30 days
• Iterate on configuration based on team feedback

Ongoing Maintenance

• Rotate Personal Access Tokens quarterly
• Review AI API usage and costs monthly
• Update team conventions as AI models improve
• Audit access when team members change
• Stay updated on Git AutoReview feature releases

Does Git AutoReview work with Bitbucket Server?

Yes. Git AutoReview supports Bitbucket Server until your migration is complete. Since Bitbucket Server reached end of life in February 2024, we recommend migrating to Bitbucket Cloud or Data Center soon. Git AutoReview works with all three platforms.

What happens after Bitbucket Server end of life?

Atlassian stopped releasing updates, bug fixes, and security patches for Bitbucket Server in February 2024. Your instance still runs, but you won't get security updates, making it increasingly risky. Atlassian recommends migrating to Cloud or Data Center. Git AutoReview continues to work with Server instances during your migration period.

Is AI code review secure for enterprise use?

Yes, when implemented correctly. Git AutoReview uses BYOK (Bring Your Own Key), meaning your code is sent directly to your chosen AI provider (Anthropic, Google, or OpenAI) — not stored on third-party servers. With Data Center deployments, you control the entire infrastructure. Human-in-the-loop approval ensures no AI suggestions reach your PRs without review.

Can I use my own API keys with Bitbucket?

Yes! Git AutoReview supports BYOK (Bring Your Own Key) for Claude (Anthropic), Gemini (Google AI), and GPT (OpenAI) on all plans. This gives you full cost control and ensures your code goes directly to your AI provider. No code is stored by Git AutoReview.

Does Git AutoReview support Bitbucket Data Center?

Yes. Git AutoReview fully supports Bitbucket Data Center, including on-premise deployments, custom authentication (SSO, LDAP), and network configurations. It works behind firewalls and integrates with your existing Atlassian stack (Jira, Confluence).

What's the difference between Bitbucket Cloud and Data Center?

Cloud is Atlassian's SaaS offering (hosted by them). Data Center is self-managed enterprise software you host on your infrastructure. Cloud is simpler but less customizable. Data Center gives you full control, supports plugins, and meets strict data residency requirements. Git AutoReview works with both.

How do I migrate from Bitbucket Server to Data Center?

Use Atlassian's official migration tools. Export your Server data, provision Data Center infrastructure, import the data, and test. Git AutoReview works throughout the migration — configure it for Server initially, then update the connection to Data Center after migration. The review workflow stays the same.

Can AI code review work behind a corporate firewall?

Yes. Git AutoReview only requires outbound HTTPS connections to AI providers (Anthropic, Google, OpenAI). No inbound connections needed. Whitelist these API endpoints in your firewall: api.anthropic.com, generativelanguage.googleapis.com, api.openai.com. Works with proxy servers and VPN configurations.