Skip to main content

Integrate SCA with BitBucket

SCA scans dependencies inside your repo upon pull requests and code pushes. The following usage provides an example BitBucket pipeline to run Lacework’s SCA.

note

You must be an admin for the BitBucket repository to add repository variables and access token.

Collect and Add Repository Variables

Before you can run SCA in BitBucket, you must add LW_ACCOUNT_NAME, LW_API_KEY and LW_API_SECRET to your BitBucket repository. You must also assign a service user to this key. To obtain these values:

  1. Log in to the Lacework Console.
  2. Click Settings > API keys.
  3. Select or create an API key.
  4. Ensure that a service user is assigned for your new or existing API key.
    1. To assign a service user:
      1. Select an API Key - Select an API key, click the edit icon, and then use the toggle and dropdown to select a service user and click Save.
      2. Create an API Key - Go to Create API key, then use the toggle and dropdown to select a service user and click Save.
  5. Click the download icon.
  6. Open the downloaded .json file to view your API Key, API Secret, and account name.
note

The service user who's assigned the API secret must have Read and Write permissions on Container Registries and Code Security. For more information, go to the Access Control Overview.

You must also create and add a repository access token.

Create a Repository Access Token

In order to properly analyze and comment on your BitBucket pull requests, Lacework requires PR read/write access. To grant access, you must create and add a repository access token to your repository:

  1. Log in to your BitBucket account.
  2. Select your desired BitBucket repository.
  3. Go to Repository Settings > Security > Access tokens.
  4. Click Create Repository Access Token.
  5. In the Name field, enter a name for the token.
  6. Under Pull requests select Read and Write.
  7. Click Create.
  8. Copy the value of the token and add the variable to your BitBucket Repository.
Important

The token value cannot be retrieved after its initial creation, we recommend saving the token and storing it in a safe place.

For more information, refer to the BitBucket Documentation.

Add Variables to your BitBucket Repository

To add repository variables to your BitBucket repository:

  1. Log in to your BitBucket account.
  2. Select your desired BitBucket repository.
  3. Go to Repository Settings > Pipelines > Repository variables.

For each variable (LW_BITBUCKET_TOKEN,LW_ACCOUNT_NAME, LW_API_KEY and LW_API_SECRET):

  1. In the Name field, enter the name of your variable. For example, LW_ACCOUNT_NAME.
  2. In the Value field, enter the value of your variable. For example, mycompany.
    note

    Your account name is the name that precedes .lacework.net in your organization's login. In the above example, the organization's login is mycompany.lacework.net, so the account name is mycompany.

  3. Select/Deselect the Secured checkbox based on your organization's preferences.
  4. Click Add.
note

The value of LW_BITBUCKET_TOKEN is the repository access token you created in the previous step.

For more information, refer to the BitBucket Documentation.

Run On Pushes or Pull Requests

To run a Lacework code analysis on pushes or pull requests, Lacework recommends editing the bitbucket-pipelines.yml file based on the following example:

image:
  name: atlassian/default-image:3

laceworkCodeSecurity: &laceworkCodeSecurity
  step:
    name: Run Lacework Code Security
    image: atlassian/default-image:3
    script:
      - pipe: lacework/code-security-pipe:1
        variables:
          LW_ACCOUNT_NAME: $LW_ACCOUNT_NAME
          LW_API_KEY: $LW_API_KEY
          LW_API_SECRET: $LW_API_SECRET
          LW_BITBUCKET_TOKEN: $LW_BITBUCKET_TOKEN
          TOOLS: "sca,sast"
          BUILD_COMMAND: "./build.sh"

pipelines:
  pull-requests:
    "**":
      - <<: *laceworkCodeSecurity
  branches:
    main:
      - <<: *laceworkCodeSecurity

note

The above pipeline uses both Lacework's SCA and SAST tools. To only run sca, remove the ,sast from the TOOLS line.

BitBucket Variables

The above example pipeline is configured to run on all pull requests and merges into the main branch. Use the following variables to further customize your configuration:

VariableUsage
LW_ACCOUNT_NAME*Passes through the repository variable.
LW_API_KEY*Passes through the repository variable.
LW_API_SECRET*Passes through the repository variable.
LW_BITBUCKET_TOKEN*Passes through the repository variable.
TOOLS*Comma-separated list of tools to run. Options are sast or sca.
BUILD_COMMAND^Required if using the SAST tool. Command to execute in the repository root to produce a clean build of the program.
SAST_CLASSPATHClasspath for SAST to search for built classes to analyze after the build has been executed. Default is repository root.
SAST_SOURCESDirectory for SAST to search for sources to analyze. Default is repository root.
DEBUGSet to true to enable enhanced logging. Default is false.

* = always required
^ = required in some circumstances

Results

After running SCA in BitBucket, Lacework comments on your push/pull request. The comment includes a link to more information about the known vulnerability as well as additional details such as the name and severity of the vulnerability found.