First time using Bitbucket? Please refer to the following documentation.
This integration allows you to directly integrate with the development pipeline without impacting your business.
To set up a repository, follow the steps below:
At the BitBucket project page, click at the Pipelines section;
Click Select at the Starter Pipeline option;
A text editor will appear; delete all of its content;
As the first job, let's invoke the FlowCLI help menu. To do so, paste the snippet below:
In order for the environment to be ready for the execution of all CLI resources, it is necessary to configure some environment variables. To accompliush that, follow the steps below:
Under Repository Settings, click at Repository Variables;
Create a new variable with the name
FLOW_API_KEY. This key is available for Conviso Platform users at the user profile page;
We can also add a variable named
FLOW_PROJECT_CODEthat contains the Continuous Code Review Project key, present on the Project page at the Project Key field.
Before proceeding, we recommend reading the following guide to understand the different strategies/approaches for deploying Code Review.
After choosing the strategy used to send deploys to Code Review, it is possible to create a specific pipeline for this action, as well as integrate with other existing pipelines. The requirements for executing this functionality are the settings of the
FLOW_API_KEY variable at the project and the
FLOW_PROJECT_CODE variable (identified as the Project Key at Conviso Platform) which can be set individually by project.
Below are sample code snippets for each of the approaches:
With TAGS, timestamp sorted
With TAGS, versioning-style sorted
Without TAGS, GIT tree sorted
In addition to deploying for code review, it is also possible to integrate a SAST-type scan into the development pipeline, which will automatically perform a scan for potential vulnerabilities, treated in Conviso Platform as findings.
The requirements for running the job are the same as already practiced:
FLOW_PROJECT_CODE, defined as environment variables.
In the above pipeline, we didn't use any options to the
flow sast run command. In this case, the default behavior is to perform the analysis of the entire repository. This is because the default values used for the
--end-commit options use first commit and current commit (HEAD), respectively.
Alternatively, we can specify the diff range manually. In the example below, we scan between the current commit and the immediately previous one on the current branch:
The SAST analysis can be complementary to the code review carried out by the professional at Conviso, even serving as input for the analyst. The job below will perform the deploy for code review of the code and will use the same diff identifiers to perform the SAST analysis, forming a complete solution in the pipeline. An example of a complete pipeline with both solutions can be seen in the snippet below: