We should audit all ScriptRunner items when they are added, deleted and updated (not when they are run). We should log the project and repo it applies to if it's a item configured from the repository settings so it appears in the UI and audit log file. We should log type of change (add, delete, update) and all the script params.
If it's configured from the admin level then we should just log it to the audit log file along with what it applies to (All projects, All repos, rep_1 or Project_2), because if the user has selected all repositories then we have to write potentially 1000's of entries to the audit log for each repository.
We should implement it by using the com.atlassian.bitbucket.event.annotation.Audited annotation on custom audit events we create and then publish these, so Bitbucket takes care of the logging.
For built-in scripts we should exclude particular ones like mirroring and list repo sizes which do not change repositories. Other built-in scripts like switch user should audit log when they are run.
Some work has already been done for putting the infrastructure in place for audit logging in
. So we can reuse that and inside the audit log service publish our custom audit log events. SRPLAT-24