Bitbucket Pipelines
First time using Bitbucket? Please refer to the following documentation.
Introduction
This integration allows you to directly integrate with the development pipeline without impacting your business.
Setting up a new repository without an existing pipeline
To set up a repository, follow the steps below:
At the BitBucket project page, click at the Pipelines section;
Click Select at the Starter Pipeline option;
A text editor will appear; delete all of its content;
As the first job, let's invoke the CLI help menu. To do so, paste the snippet below:
image: convisoappsec/flowcli
pipelines:
branches:
master:
- step:
name: Conviso BitBucket Pipeline
script:
- conviso --help
services:
- docker
Setting up Environment Variables
In order for the environment to be ready for the execution of all CLI resources, it is necessary to configure some environment variables. To accomplish that, follow the steps below:
Under Repository Settings, click at Repository Variables;
Create a new variable with the name
FLOW_API_KEY
. This key is available for Conviso Platform users at the user profile page;We can also add a variable named
FLOW_PROJECT_CODE
that contains the Continuous Code Review Project key, present on the Project page at the Project Key field.
Code Review
Before proceeding, we recommend reading the following guide to understand the different strategies/approaches for deploying Code Review.
After choosing the strategy used to send deploys to Code Review, it is possible to create a specific pipeline for this action, as well as integrate with other existing pipelines. The requirements for executing this functionality are the settings of the FLOW_API_KEY
variable at the project and the FLOW_PROJECT_CODE
variable (identified as the Project Key at Conviso Platform) which can be set individually by project.
Below are sample code snippets for each of the approaches:
With TAGS, sorted by timestamp
image: convisoappsec/flowcli
pipelines:
branches:
master:
- step:
name: Conviso BitBucket Pipeline
script:
- conviso deploy create with tag-tracker sort-by time
services:
- docker
With TAGS, sorted by versioning-style
image: convisoappsec/flowcli
pipelines:
branches:
master:
- step:
name: Conviso BitBucket Pipeline
script:
- conviso deploy create with tag-tracker sort-by versioning-style
services:
- docker
Without TAGS, sorted by GIT Tree
image: convisoappsec/flowcli
pipelines:
branches:
master:
- step:
name: Conviso BitBucket Pipeline
script:
- conviso deploy create with values
services:
- docker
SAST
In addition to deploying for code review, it is also possible to integrate a SAST-type scan into the development pipeline, which will automatically perform a scan for potential vulnerabilities, treated in Conviso Platform as findings.
The requirements for running the job are the same as already practiced: FLOW_API_KEY
and FLOW_PROJECT_CODE
, defined as environment variables.
image: convisoappsec/flowcli
pipelines:
branches:
master:
- step:
name: Conviso BitBucket Pipeline
script:
- conviso sast run
services:
- docker
In the above pipeline, we didn't use any options to the conviso sast run
command. In this case, the default behavior is to perform the analysis of the entire repository. This is because the default values used for the --start-commit
and --end-commit
options use first commit and current commit (HEAD), respectively.
Alternatively, we can specify the diff range manually. In the example below, we scan between the current commit and the immediately previous one on the current branch:
image: convisoappsec/flowcli
pipelines:
branches:
master:
- step:
name: Conviso BitBucket Pipeline SAST
script:
- conviso sast run --start_commit `git rev-parse @~1` --end-commit $BITBUCKET_COMMIT
services:
- docker
SCA
The following code snippet will trigger an SCA scan and send the results to Conviso Platform:
image: convisoappsec/flowcli
pipelines:
branches:
master:
- step:
name: Conviso BitBucket Pipeline SCA
script:
- conviso sca run
services:
- docker
Getting everything together: Code Review + SAST + SCA Deployment
The SAST and SCA analysis can be complementary to the code review carried out by the professional at Conviso, even serving as input for the analyst. The job below will perform the deployment for code review of the code and will use the same diff identifiers to perform the SAST and SCA analysis, forming a complete solution in the pipeline. An example of a complete pipeline with all solutions can be seen in the snippet below:
image: convisoappsec/flowcli
pipelines:
branches:
master:
- step:
name: Conviso BitBucket Pipeline
script:
- conviso deploy create -f env_vars with values > created_deploy_vars
- source created_deploy_vars
- |
conviso sast run \
--start-commit "$FLOW_DEPLOY_PREVIOUS_VERSION_COMMIT" \
--end-commit "$FLOW_DEPLOY_CURRENT_VERSION_COMMIT"
- conviso sca run
services:
- docker