1. Snyk
  2. Integrations for Snyk Open Source
  3. CI/CD integrations

Bitbucket Pipelines integration overview

Follow

Articles in this section

See more
Rachel Cheyfitz
  • Updated
Follow

Snyk integrates with Bitbucket Pipelines using a Snyk pipe, seamlessly scanning your application dependencies and Docker images for open source security vulnerabilities as part of the continuous integration/continuous delivery (CI/CD) workflow.

Bitbucket Pipes enables users to customize and automate a Bitbucket Pipeline CI/CD workflow with a group of ready-to-use tasks that can be added inside of your pipelines by copying and pasting them from the Bitbucket interface.

With the Snyk pipe, you can quickly add Snyk scanning to your pipelines to test and monitor for vulnerabilities at different points of the CI/CD workflow, based on your configurations. Results are then displayed from the Bitbucket Pipelines output view and can also be monitored from Snyk.io.

Snyk pipe information in Bitbucket

From the build directory, Bitbucket Pipelines displays a list of available pipes customized for you directly, similar to the following image:

image1.png

From this list, find and click Snyk to view the pipe, examples, parameters, and values:

image2.png

Language support

Snyk integration with Bitbucket pipes is supported for the following languages:

  • JavaScript (npm)

  • .NET (NuGet)

  • PHP Composer

  • Ruby

  • Docker

Bitbucket Pipelines integration: how it works

Once the user has added the pipe to the pipeline, each time the pipeline executes (by any trigger type) the Snyk pipe does the following.

Scan

  1. Scans app dependencies or container images for vulnerabilities or licensing issues, and lists them.

  2. If Snyk finds vulnerabilities, it does one of the following (based on configuration):

    • Fails the build

    • Lets the build complete

Monitor

Optionally, if the build completes successfully and MONITOR is set to True in the Snyk step, then Snyk saves a snapshot of the project dependencies from the Snyk app, where you can view the dependency tree displaying all of the issues, and you can receive alerts for new issues found in the existing app version.

Protect (optional)

(For Node.js projects only) Optionally, set PROTECT to True and if a .snyk policy file exists, Snyk applies patches specified in the policy file.

Configure your BItbucket Pipelines integration

To enable Snyk to test and monitor your code as an integral part of your CI/CD workflow in Bitbucket, add the Snyk pipe into your bitbucket-pipelines.yml (YAML) file. The bitbucket-pipelines.yml file should be located in the root of your repository, and it is this file that defines all your build configurations (pipelines for your CI/CD workflow).

How to add a Snyk pipe

  1. Add the Snyk pipe while originally creating your pipeline, or while editing an existing pipeline. See the Bitbucket documentation for more information about pipelines and pipes. When adding the Snyk pipe, follow these guidelines:

  2. Use the Bitbucket pipeline editor to update the .yml file configuration, select the correct language and use the Bitbucket Pipes build directory when adding the Snyk pipe.

  3. Paste the Snyk pipe into the Bitbucket editor interface, after all, build steps. Build steps are commands such as these: npm install / composer install / bundle install / dotnet restore / docker build

  4. Ensure you paste the pipe before a deployment step, such as npm publish or docker push.

  5. Configure the LANGUAGE, choose whether to fail the pipeline on vulnerabilities found with DONT_BREAK_BUILD (you can also use SEVERITY_THRESHOLD), and consider enabling MONITOR and PROTECT (Protect for Node.js projects only). See Snyk pipe parameters and values for more information.

  6. Once included in your pipeline commands, Snyk looks for the manifest files in that repository (package.json, package-lock.json) and performs the scan.

  7. Results appear in the Bitbucket Pipelines output interface, similar to the following:

    image3.png

Note

If the build fails, even if MONITOR is set to True, Snyk does not continue to the Monitor stage (because no projects are deployed until the build succeeds). To enable monitoring on Snyk.io of projects with vulnerabilities, set DONT_BREAK_BUILD to True. You can use SEVERITY_THRESHOLD to tell the pipe the severity threshold from which to fail the pipe at the scanning stage. See Snyk pipe parameters and values for more information.

Prerequisites

For your Bitbucket Pipelines, ensure you have build minutes in your account, which are necessary to enable ongoing CI/CD workflows.

  • Create a Snyk account and retrieve the Snyk API token from your #Account settings.

  • For npm projects, if you would like to enable automatic remediation for the CI/CD workflow as well, run the Snyk wizard first.

Bitbucket Pipelines integration:Snyk pipe parameters and values

Following is the Snyk pipe that should be configured as part of a pipeline YAML file in order to include vulnerability scanning as part of your CI/CD workflow:

- pipe: snyk/snyk-scan:0.2.0

variables:

SNYK_TOKEN: '<string>'

LANGUAGE: '<string>'

# IMAGE_NAME: '<string>' # Only required if LANGUAGE set to 'docker'

# DONT_BREAK_BUILD: '<boolean>' # Optional.

# MONITOR: '<boolean>' # Optional.

# SEVERITY_THRESHOLD: '<low|medium|high>' # Optional.

# ORGANIZATION: '<string>' # Optional.

# PROJECT_FOLDER: '<string>' # Optional.

# TARGET_FILE: '<string>' # Optional.

# EXTRA_ARGS: '<string>' # Optional.

# DEBUG: '<boolean>' # Optional.

The following table describes the Snyk pipe parameters.

Parameter

Description

SNYK_TOKEN (*)

Enter the Snyk API token, which you can retrieve from your Snyk Account settings.

To encrypt the token, you can add it as a predefined variable in a separate part of the Bitbucket pipes directory:

  1. From the build directory, click the cog icon, name the parameter “token” and enter your token as the value.

  2. Click the padlock icon next to the parameter and value and then click Add.

  3. From the YAML file, enter $token as the value for the TOKEN parameter in the Snyk pipe.

See Bitbucket documentation for more information about predefined variables.

LANGUAGE (*)

Configure the package manager of the app (for example, npm, rubygems, composer, nuget or docker).

See Dockerhub for a full list of possible tags.

IMAGE_NAME (*)

For docker language only, configure the image name for which to perform a docker scan.

PROTECT

Supported only for JavaScript (npm) currently.

This parameter applies the patches specified in your .snyk file to the local file system when set to True.

Default: false. Automatic remediation is disabled.

In order to enable automatic remediation, first run the Snyk Wizard, which creates and adds the .snyk file to your project.

DONT_BREAK_BUILD

When set to true, continues the build even when vulnerabilities are discovered.

Default: false. The build fails.

MONITOR

Records a snapshot of the project for the Snyk UI and then continues monitoring the project after the build is run.

If the test succeeds, this records a snapshot of the app’s dependencies in the Snyk app and allows you to see the state of your deployed code, have it monitored and receive alerts when new vulns are found in the code.

Default: false. The project is not monitored after the initial scan.

SEVERITY_THRESHOLD

Reports issues equal to or higher than the configured level. Possible values: low, med, high

Default: low. All vulnerabilities are reported.

ORGANIZATION

Configures the organization from your Snyk account to which to associate the repository.

Default: none.

PROJECT_FOLDER

The folder in which the project resides.

Default: ..

TARGET_FILE

The package file (for example package.json); equivalent to --file= in the CLI.

For Docker enter the Dockerfile as the value.

Default: none.

EXTRA_ARGS

Extra arguments to be passed to the Snyk CLI. Use the parameters and arguments as described here.

Default: none.

DEBUG

Turn on extra debug information.

Default: false

Example of a Snyk pipe for Docker

Following is an example of the Snyk pipe set up for a Docker image:

image4.png

Example of a Snyk pipe for npm

Following is an example of the Snyk pipe set up for npm:

image5.png

Comments

0 comments

Article is closed for comments.