Bitbucket Pipelines¶
Scanning steps can be added to your Bitbucket pipeline. A scanning step can be added, for example:
- step:
name: BoostSecurity Semgrep
script:
- pipe: docker://public.ecr.aws/boostsecurityio/boost-scanner-bitbucket:v4
variables:
BOOST_API_TOKEN: $BOOST_API_TOKEN
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/semgrep"
BOOST_API_TOKEN
is the API token created from the dashboard Settings Page. The variable BOOST_SCANNER_REGISTRY_MODULE
specifies the scanner to execute from the module registry. Multiple scanners can be configured in the pipeline, as required.
Note
The required environment variables, such as $BOOST_API_TOKEN
need to be added to workspace or repository variables. For example, for workspace variables they would be added at location https://bitbucket.org/<workspace-slug>/workspace/settings/addon/admin/pipelines/account-variables
and for repository variables they would be added at location https://bitbucket.org/<workspace-slug>/<repository-slug>/admin/addon/admin/pipelines/repository-variables
.
Scanner steps can be configured for both the main branch and for the PR flow. The example below shows steps for running scanners in both the main branch as well as in pull requests:
pipelines:
branches:
main:
- parallel:
- step:
name: BoostSecurity Semgrep
script:
- pipe: docker://public.ecr.aws/boostsecurityio/boost-scanner-bitbucket:v4
variables:
BOOST_API_TOKEN: $BOOST_API_TOKEN
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/semgrep"
- step:
name: SBOM
script:
- pipe: docker://public.ecr.aws/boostsecurityio/boost-scanner-bitbucket:v4
variables:
BOOST_API_TOKEN: $BOOST_API_TOKEN
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/trivy-sbom"
pull-requests:
'**':
- parallel:
- step:
name: BoostSecurity Semgrep
script:
- pipe: docker://public.ecr.aws/boostsecurityio/boost-scanner-bitbucket:v4
variables:
BOOST_API_TOKEN: $BOOST_API_TOKEN
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/semgrep"