Bitbucket Pipelines¶
Scanning steps can be added to your Bitbucket pipeline. A scanning step can be added, for example:
- step:
name: BoostSecurity Semgrep
script:
- pipe: docker://public.ecr.aws/boostsecurityio/boost-scanner-bitbucket:v4
variables:
BOOST_API_TOKEN: $BOOST_API_TOKEN
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/semgrep"
BOOST_API_TOKEN is the API token created from the dashboard Settings Page. The variable BOOST_SCANNER_REGISTRY_MODULE specifies the scanner to execute from the module registry. Multiple scanners can be configured in the pipeline as required.
Note
The required environment variables, such as $BOOST_API_TOKEN, need to be added to workspace or repository variables. For example, workspace variables would be added at location https://bitbucket.org/<workspace-slug>/workspace/settings/addon/admin/pipelines/account-variables, and repository variables would be added at location https://bitbucket.org/<workspace-slug>/<repository-slug>/admin/addon/admin/pipelines/repository-variables.
Scanner steps can be configured for the main branch and PR flow. The example below shows steps for running scanners in both the main branch as well as in pull requests:
pipelines:
branches:
main:
- parallel:
- step:
name: BoostSecurity Semgrep
script:
- pipe: docker://public.ecr.aws/boostsecurityio/boost-scanner-bitbucket:v4
variables:
BOOST_API_TOKEN: $BOOST_API_TOKEN
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/semgrep"
- step:
name: SBOM
script:
- pipe: docker://public.ecr.aws/boostsecurityio/boost-scanner-bitbucket:v4
variables:
BOOST_API_TOKEN: $BOOST_API_TOKEN
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/trivy-sbom"
pull-requests:
'**':
- parallel:
- step:
name: BoostSecurity Semgrep
script:
- pipe: docker://public.ecr.aws/boostsecurityio/boost-scanner-bitbucket:v4
variables:
BOOST_API_TOKEN: $BOOST_API_TOKEN
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/semgrep"