Bitbucket¶
Enabling Boost advisor¶
The Boost advisor let you address your findings backlog easier and faster. With it AppSec team can initiate a finding remediation from the Boost finding view.
The following describe how to set it on Bitbucket SCM.
- Go to the
.boostrepository. -
Edit the
bitbucket-pipleines.yamlto include the following:definitions: services: docker: memory: 3072 pipelines: custom: boost-scanner: - variables: - name: BOOST_JOB_NAME - name: BOOST_TRIGGER_ID - step: name: Run Boost Scanner clone: depth: 1 services: - docker script: - pipe: docker://public.ecr.aws/boostsecurityio/boost-scanner-bitbucket:v4 variables: BOOST_API_TOKEN: "${BOOST_API_TOKEN}" BOOST_TRIGGER_ID: "${BOOST_TRIGGER_ID}" boost-advisor: - variables: - name: BOOST_ADVISOR_PAYLOAD - step: name: Run Boost Advisor image: atlassian/default-image:5 script: - export BOOST_API_KEY="$BOOST_API_TOKEN" - curl -sSL https://assets.build.boostsecurity.io/boost-advisor/get-boost-advisor | sh - printf '%s' "$BOOST_ADVISOR_PAYLOAD" | /tmp/boost-advisor/latest - -
Create the Bitbucket access token
- Go to the target organization → Organization settings → Access tokens.
- Click Create Access Token and apply the following scopes (
repository:write,pullrequest:write).
-
Add the secrets to the
.boostrepositoryOpen Repository settings → Pipelines → Repository variables and add the variables below. Mark them as Secured.
Variable Name Value BOOST_SCM_TOKENWorkspace or repository access token BOOST_LLM_MODELLLM model identifier BOOST_LLM_KEYLLM provider API key Note
BOOST_API_TOKENis provisioned automatically by ZTP and does not need to be added manually.
Manual security scans¶
Scanning steps can be added to your Bitbucket pipeline. A scanning step can be added, for example:
- step:
name: Boost Security Semgrep
script:
- pipe: docker://public.ecr.aws/boostsecurityio/boost-scanner-bitbucket:v4
variables:
BOOST_API_TOKEN: $BOOST_API_TOKEN
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/semgrep"
BOOST_API_TOKEN is the API token created from the dashboard Settings Page. The variable BOOST_SCANNER_REGISTRY_MODULE specifies the scanner to execute from the module registry. Multiple scanners can be configured in the pipeline as required.
Note
The required environment variables, such as $BOOST_API_TOKEN, need to be added to workspace or repository variables. For example, workspace variables would be added at location https://bitbucket.org/<workspace-slug>/workspace/settings/addon/admin/pipelines/account-variables, and repository variables would be added at location https://bitbucket.org/<workspace-slug>/<repository-slug>/admin/addon/admin/pipelines/repository-variables.
Scanner steps can be configured for the main branch and PR flow. The example below shows steps for running scanners in both the main branch as well as in pull requests:
pipelines:
branches:
main:
- parallel:
- step:
name: Boost Security Semgrep
script:
- pipe: docker://public.ecr.aws/boostsecurityio/boost-scanner-bitbucket:v4
variables:
BOOST_API_TOKEN: $BOOST_API_TOKEN
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/semgrep"
- step:
name: SBOM
script:
- pipe: docker://public.ecr.aws/boostsecurityio/boost-scanner-bitbucket:v4
variables:
BOOST_API_TOKEN: $BOOST_API_TOKEN
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/trivy-sbom"
pull-requests:
'**':
- parallel:
- step:
name: Boost Security Semgrep
script:
- pipe: docker://public.ecr.aws/boostsecurityio/boost-scanner-bitbucket:v4
variables:
BOOST_API_TOKEN: $BOOST_API_TOKEN
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/semgrep"