Integrate SAST with BitBucket
Before using SAST for the first time, consult the Lacework Product Team for more information as it may not work appropriately for you.
SAST analyzes your repository for potential vulnerabilities on pull requests and code pushes. The following usage provides an example BitBucket pipeline to run Lacework’s SAST.
You must be an admin for the BitBucket repository to add repository variables and access token.
Collect and Add Repository Variables
Before you can run SCA in BitBucket, you must add LW_ACCOUNT_NAME, LW_API_KEY and LW_API_SECRET to your BitBucket repository. To obtain these values:
- Log in to the Lacework Console.
- Click Settings > API keys.
- Select or create an API key.
- Click the download icon.
- Open the downloaded .json file to view your API Key, API Secret, and account name.
You must also create and add a repository access token.
Create a Repository Access Token
In order to properly analyze and comment on your BitBucket pull requests, Lacework requires PR read/write access. To grant access, you must create and add a repository access token to your repository:
- Log in to your BitBucket account.
- Select your desired BitBucket repository.
- Go to Repository Settings > Security > Access tokens.
- Click Create Repository Access Token.
- In the Name field, enter a name for the token.
- Under Pull requests select Read and Write.
- Click Create.
- Copy the value of the token and add the variable to your BitBucket Repository.
The token value cannot be retrieved after its initial creation.
For more information, refer to the BitBucket Documentation.
Add Variables to your BitBucket Repository
To add repository variables to your BitBucket repository:
- Log in to your BitBucket account.
- Select your desired BitBucket repository.
- Go to Repository Settings > Pipelines > Repository variables.
For each variable (LW_BITBUCKET_TOKEN,LW_ACCOUNT_NAME, LW_API_KEY and LW_API_SECRET):
- In the Name field, enter the name of your variable. For example,
LW_ACCOUNT_NAME. - In the Value field, enter the value of your variable. For example,
mycompany.noteYour account name is the name that precedes
.lacework.netin your organization's login. In the above example, the organization's login ismycompany.lacework.net, so the account name ismycompany. - Select/Deselect the Secured checkbox based on your organization's preferences.
- Click Add.
The value of LW_BITBUCKET_TOKEN is the repository access token you created in the previous step.
For more information, refer to the BitBucket Documentation.
Run On Pushes or Pull Requests
To run Lacework's SAST tool on pushes or pull requests, Lacework recommends editing the bitbucket-pipelines.yml file based on the following example:
image:
name: atlassian/default-image:3
laceworkCodeSecurity: &laceworkCodeSecurity
step:
name: Run Lacework Code Security
image: atlassian/default-image:3
script:
- pipe: lacework/code-security-action-pipe:1
variables:
LW_ACCOUNT_NAME: $LW_ACCOUNT_NAME
LW_API_KEY: $LW_API_KEY
LW_API_SECRET: $LW_API_SECRET
LW_BITBUCKET_TOKEN: $LW_BITBUCKET_TOKEN
TOOLS: "sca,sast"
BUILD_COMMAND: "./build.sh"
pipelines:
pull-requests:
"**":
- <<: *laceworkCodeSecurity
branches:
main:
- <<: *laceworkCodeSecurity
The above pipeline uses both Lacework's SCA and SAST tools. To only run sast, remove the sca, from the TOOLS line.
BitBucket Variables
The above example pipeline is configured to run on all pull requests and merges into the main branch. Use the following variables to further customize your configuration:
| Variable | Usage |
|---|---|
LW_ACCOUNT_NAME* | Passes through the repository variable. |
LW_API_KEY* | Passes through the repository variable. |
LW_API_SECRET* | Passes through the repository variable. |
LW_BITBUCKET_TOKEN* | Passes through the repository variable. |
TOOLS* | Comma-separated list of tools to run. Options are sast or sca. |
BUILD_COMMAND^ | Required if using the SAST tool. Command to execute in the repository root to produce a clean build of the program. |
SAST_CLASSPATH | Classpath for SAST to search for built classes to analyze after the build has been executed. Default is repository root. |
SAST_SOURCES | Directory for SAST to search for sources to analyze. Default is repository root. |
DEBUG | Set to true to enable enhanced logging. Default is false. |
* = always required
^ = required in some circumstances
Results
When you run SAST in BitBucket, Lacework comments the results on your pull request. The comment reports the vulnerabilities introduced by the pull request and links to the file in GitHub where the potential vulnerability was found. The results also provide additional information about the vulnerability and its usage context.