Bitbucket sometimes categorizes new files as UPDATE's and not ADD's and this causes the security hook to miss categorize the changes for scanning.
Steps to reproduce:
Make sure hook is on at all levels.
Push a repository.
Add a new file with a vulnerability. Mine looked like this:
diff --git a/src/main/java/com/mohamicorp/bitbucket/commitgraph/servlet/add_file b/src/main/java/com/mohamicorp/bitbucket/commitgraph/servlet/add_file
new file mode 100644
@@ -0,0 +1,3 @@
+const AWSSECRET = \"7CE556A3BC234CC1FF9E8A5C324C0BB70AA21B6D\"
Push the change, and you'll see it go through when it shouldn't.