New Features

 

Git repository (SCM) integrations

See more
  1. Docs Library | Snyk
  2. Integrations
  3. Git repository (SCM) integrations

Bitbucket Cloud integration

The user generates a unique Bitbucket “app password” that they generate for Snyk specifically. Together the user’s username and password constitute a token that Snyk uses. The token authorizes Snyk to access the user’s repos for only the specific permissions that the user indicates to Bitbucket Cloud when generating it.

 
 

  1. The user selects projects and repositories for import to Snyk (for testing and monitoring).

  2. Snyk evaluates the items that the user selected and imports any that have relevant manifest files in the root folder and all the sub folders at any level.

  3. Snyk communicates directly with your repository for each test it runs to determine exactly what code is currently pushed and what dependencies are being used. Each dependency is tested against Snyk’s vulnerability database to see if it contains any known vulnerabilities.

  4. Based on your configurations, if vulnerabilities are found, Snyk notifies you via email or Slack so that you can take immediate remediation action.

Configure your integration for Bitbucket Cloud

Snyk integrates with Bitbucket Cloud to enable you to import your projects and monitors the source code for your repositories. Snyk tests the projects you’ve imported for any known security vulnerabilities found in the application’s dependencies, testing at a frequency you control.

How to configure your BitBucket integration

Enable integration between Bitbucket and Snyk, and start managing your vulnerabilities.

Prerequisites

Ensure you have set up your Bitbucket Cloud account and your Snyk account.

Steps

  1. Access your Bitbucket Cloud account and retrieve a unique app password for Snyk. For help doing this, see the Bitbucket documentation.

  2. When prompted in Bitbucket, enable the following permissions for Snyk access as follows:

    • Account: read

    • Workspace membership: read

    • Projects: read

    • Repositories: read

    • Pull requests: read and write

    • Webhooks: read and write

  3. Log in to your Snyk account.

  4. Navigate to Integrations from the menu bar at the top.

  5. From the Integrations page under the Bitbucket Cloud logo, click the Connect to Bitbucket Cloud button:

    GitIntegrations.png

  6. From the Settings page, enter your Bitbucket Cloud username and the app password that you just generated.

  7. Click Save.

  8. Snyk tests the connection values and the page reloads, now displaying Bitbucket Cloud integration information. A confirmation message that the details were saved also appears in green at the top of the screen. In addition, if the connection to Bitbucket failed, a notification appears under the Connected to Bitbucket Cloud section.

    image2.png
 
 

Add Bitbucket Cloud projects to Snyk

Snyk tests and monitors Bitbucket repositories that are in any of our supported languages by evaluating root folders and custom file locations.

Adding projects to Snyk
 
 

  1. Go to Projects and click Add projects. Choose the tool from which to import your projects:

    image1.png

  2. A popup screen opens with all the available repositories under the selected integration:

    image2.png

  3. Select the repos that you would like to import to Snyk to monitor them for security/license issues. To import all repos for a specific organization, checkmark the organization.

  4. Click Add selected repositories. Snyk scans all the folders in the tree for manifest files.

 
Adding custom file location
 
 

  1. From the Add custom file location dropdown list, select the relevant repo for which you would like to configure a custom path. The repo must first be selected from the Add Projects view, as described in the previous step.

  2. In the text field, enter the relative path in which the manifest file is located, as demonstrated in the image above.

Note

This field is case sensitive.

 
Excluding folders from import
 
 

To exclude specific folders from being imported, specify the names of the folders that you want to exclude from the search (maximum 9 folders). Separate names with commas.

Note

This field is case sensitive and the pattern applies for all repos.

 
Next steps
 
 

Once repositories are imported, a confirmation appears in green at the top of the screen. The selected files are indicated with a unique icon, they are named by organization/repo, and you can now also filter to view only those projects, as seen in the example below:

image7.png

This integration works similar to our other integrations. To continue to monitor, remediate and manage your projects, see the relevant pages in our Docs.