Bitbucket Pipelines
Bitbucket Pipelines is Atlassian’s integrated CI/CD service that builds, tests, and deploys code from Bitbucket repositories.
Quick Start
Basic Configuration
# bitbucket-pipelines.yml
image: alpine:latest
pipelines:
default:
- step:
name: Vulnetix
script:
- apk add --no-cache curl
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- export PATH=$PATH:$HOME/.local/bin
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
artifacts:
- security-results.sarif
branches:
main:
- step:
name: Security Assessment
script:
- apk add --no-cache curl
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- export PATH=$PATH:$HOME/.local/bin
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
artifacts:
- vulnetix-assessment.jsonAdvanced Configuration
Multi-Step Security Pipeline
# bitbucket-pipelines.yml - Complete security pipeline
image: alpine:latest
definitions:
steps:
- step: &install-vulnetix
name: Install Vulnetix
script:
- apk add --no-cache curl bash
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- export PATH=$PATH:$HOME/.local/bin
- vulnetix --version
caches:
- vulnetix-cache
- step: &vulnetix-assessment
name: Vulnetix
script:
- export PATH=$PATH:$HOME/.local/bin
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
caches:
- vulnetix-cache
- step: &sast-analysis
name: SAST Analysis
image: returntocorp/semgrep:latest
script:
- semgrep --config=auto --sarif --output=sast-results.sarif .
artifacts:
- sast-results.sarif
- step: &dependency-scan
name: Dependency Scan
script:
- apk add --no-cache curl
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- trivy fs . --format sarif --output dependency-scan.sarif
artifacts:
- dependency-scan.sarif
- step: &release-assessment
name: Security Assessment
script:
- export PATH=$PATH:$HOME/.local/bin
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
caches:
- vulnetix-cache
caches:
vulnetix-cache: ~/.local/bin
pipelines:
default:
- step: *install-vulnetix
- parallel:
- step: *vulnetix-assessment
- step: *sast-analysis
- step: *dependency-scan
- step: *release-assessment
pull-requests:
'**':
- step: *install-vulnetix
- step: *vulnetix-assessment
branches:
main:
- step: *install-vulnetix
- parallel:
- step: *vulnetix-assessment
- step: *sast-analysis
- step: *dependency-scan
- step: *release-assessment
- step:
name: Deploy Security Report
deployment: production
script:
- echo "Deploying security assessment results..."
# Deploy to security dashboard or artifact repository
develop:
- step: *install-vulnetix
- step: *vulnetix-assessmentCustom Docker Image Pipeline
# bitbucket-pipelines.yml - Custom security image
image: your-registry.com/security-tools:latest
pipelines:
default:
- step:
name: Comprehensive Security Assessment
script:
# All tools pre-installed in custom image
- semgrep --config=auto --sarif --output=sast.sarif .
- trivy fs . --format sarif --output=deps.sarif
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
artifacts:
- "*.sarif"
services:
- docker
caches:
- dockerEnvironment Configuration
Repository Variables
Configure in Bitbucket repository settings:
# Repository Variables (Bitbucket Settings > Repository variables)
VULNETIX_ORG_ID=123e4567-e89b-12d3-a456-426614174000
VULNETIX_API_TOKEN=$VULNETIX_API_TOKEN # Use secured variable
VULNETIX_ENVIRONMENT=production
VULNETIX_TEAM_NAME=security-teamSecured Variables
For sensitive configuration:
# bitbucket-pipelines.yml - Using secured variables
pipelines:
default:
- step:
name: Secure Assessment
script:
- export VULNETIX_ORG_ID=$VULNETIX_ORG_ID
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG" --team-name "$VULNETIX_TEAM_NAME"Configuration Files
# vulnetix-tools.yaml - Tool configuration
tools:
- category: "SAST"
artifact_name: "./sast-results.sarif"
format: "SARIF"
tool_name: "semgrep"
- category: "SCA"
artifact_name: "./dependency-scan.sarif"
format: "SARIF"
tool_name: "trivy"
assessment:
fail_on_high_severity: true
generate_report: true
output_formats: ["json", "sarif", "html"]Integration Patterns
Parallel Execution
# bitbucket-pipelines.yml - Parallel security assessments
pipelines:
default:
- step:
name: Setup
script:
- apk add --no-cache curl
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
caches:
- vulnetix-cache
- parallel:
- step:
name: SAST Scan
image: returntocorp/semgrep:latest
script:
- semgrep --config=auto --sarif --output=sast.sarif .
artifacts:
- sast.sarif
- step:
name: Dependency Scan
script:
- apk add --no-cache curl
- curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- trivy fs . --format sarif --output=deps.sarif
artifacts:
- deps.sarif
- step:
name: Secrets Scan
image: trufflesecurity/trufflehog:latest
script:
- trufflehog filesystem . --json > secrets.json
artifacts:
- secrets.json
- step:
name: Aggregate Assessment
script:
- export PATH=$PATH:$HOME/.local/bin
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
caches:
- vulnetix-cacheConditional Execution
# bitbucket-pipelines.yml - Conditional security steps
pipelines:
default:
- step:
name: Vulnetix
script:
- export PATH=$PATH:$HOME/.local/bin
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
condition:
changesets:
includePaths:
- "src/**"
- "*.go"
- "*.py"
- "*.js"
- "*.ts"
- "Dockerfile"
- "requirements.txt"
- "package.json"
- "go.mod"
branches:
main:
- step:
name: Production Security Assessment
script:
- export PATH=$PATH:$HOME/.local/bin
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"Deployment Integration
# bitbucket-pipelines.yml - Security gates for deployment
pipelines:
branches:
main:
- step:
name: Security Gate
script:
- export PATH=$PATH:$HOME/.local/bin
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
- step:
name: Deploy to Staging
deployment: staging
script:
- echo "Deploying to staging environment..."
# Deployment logic here
- step:
name: Staging Security Validation
script:
- export PATH=$PATH:$HOME/.local/bin
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
after-script:
- echo "Staging validation completed"
- step:
name: Deploy to Production
deployment: production
trigger: manual
script:
- echo "Deploying to production environment..."
# Production deployment logicArtifact Management
Artifact Retention
# bitbucket-pipelines.yml - Long-term artifact retention
pipelines:
default:
- step:
name: Security Assessment with Retention
script:
- export PATH=$PATH:$HOME/.local/bin
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
# Build retained for 365 daysEdge Cases and Troubleshooting
Corporate Firewall/Proxy
# bitbucket-pipelines.yml - Corporate proxy configuration
pipelines:
default:
- step:
name: Security Assessment (Corporate Network)
script:
- export HTTP_PROXY=http://proxy.company.com:8080
- export HTTPS_PROXY=http://proxy.company.com:8080
- export NO_PROXY=localhost,127.0.0.1,.company.com
- apk add --no-cache curl
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- export PATH=$PATH:$HOME/.local/bin
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"Large Repository Handling
# bitbucket-pipelines.yml - Large repository optimization
pipelines:
default:
- step:
name: Optimized Security Assessment
size: 2x # Use larger build container
script:
- export PATH=$PATH:$HOME/.local/bin
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
max-time: 30 # Extended timeout for large reposCustom SSL Certificates
# bitbucket-pipelines.yml - Custom CA certificates
pipelines:
default:
- step:
name: Security Assessment (Custom CA)
script:
- apk add --no-cache ca-certificates curl
- cp company-ca.crt /usr/local/share/ca-certificates/
- update-ca-certificates
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- export PATH=$PATH:$HOME/.local/bin
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"Memory and Resource Optimization
# bitbucket-pipelines.yml - Resource optimization
pipelines:
default:
- step:
name: Memory-Optimized Assessment
memory: 1024 # Allocate more memory
script:
- export PATH=$PATH:$HOME/.local/bin
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"Integration with Bitbucket Features
SARIF Upload Integration
# bitbucket-pipelines.yml - SARIF upload to Vulnetix
pipelines:
pull-requests:
'**':
- step:
name: Security Review
script:
- export PATH=$PATH:$HOME/.local/bin
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- |
if [ -f "security-results.sarif" ]; then
vulnetix upload --file security-results.sarif --org-id "$VULNETIX_ORG_ID"
fiPerformance Optimization
Caching Strategies
# bitbucket-pipelines.yml - Advanced caching
definitions:
caches:
vulnetix-cache: ~/.local/bin/vulnetix
security-tools: ~/.local/bin
scan-cache: ~/.vulnetix/cache
pipelines:
default:
- step:
name: Cached Security Assessment
script:
- export PATH=$PATH:$HOME/.local/bin
- |
if [ ! -f ~/.local/bin/vulnetix ]; then
curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
fi
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
caches:
- vulnetix-cache
- security-tools
- scan-cacheBuild Matrix
# bitbucket-pipelines.yml - Multi-environment testing
pipelines:
default:
- parallel:
- step:
name: Security Assessment (Go)
image: golang:1.21-alpine
script:
- apk add --no-cache curl
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- export PATH=$PATH:$HOME/.local/bin
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
- step:
name: Security Assessment (Node.js)
image: node:18-alpine
script:
- apk add --no-cache curl
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- export PATH=$PATH:$HOME/.local/bin
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
- step:
name: Security Assessment (Python)
image: python:3.11-alpine
script:
- apk add --no-cache curl
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- export PATH=$PATH:$HOME/.local/bin
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"
- step:
name: Aggregate Multi-Language Results
script:
- export PATH=$PATH:$HOME/.local/bin
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"Troubleshooting
Common Issues
Installation Problems
# Debug installation
apk add --no-cache curl bash
curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | bash -x
# Manual installation
wget https://github.com/vulnetix/cli/releases/latest/download/vulnetix-linux-amd64.tar.gz
tar -xzf vulnetix-linux-amd64.tar.gz
mv vulnetix /usr/local/bin/
chmod +x /usr/local/bin/vulnetixNetwork Connectivity
# Test connectivity
curl -I https://app.vulnetix.com/api/check
curl -I https://github.com/vulnetix/cli/releases/latest
# Debug with Vulnetix
export VULNETIX_DEBUG=true
vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "test-project"Memory Issues
# Use larger container
size: 2x
memory: 2048Debug Mode
# bitbucket-pipelines.yml - Debug configuration
pipelines:
default:
- step:
name: Debug Security Assessment
script:
- export VULNETIX_DEBUG=true
- export PATH=$PATH:$HOME/.local/bin
- curl -fsSL https://raw.githubusercontent.com/vulnetix/cli/main/install.sh | sh
- vulnetix --org-id "$VULNETIX_ORG_ID" --task scan --project-name "$BITBUCKET_REPO_SLUG"