BitBucket Pipelines

To configure how different types of SCM actions trigger a scan in Gomboc see CI Pipeline Configuration.

Pull Request Pipeline

A BitBucket pipeline can use the following YAML to run the Gomboc CLI on every pull request to main, will only try to remediate directories with code differences. When running the the Gomboc cli command you can replace submit-for-review argument with preview if no pull request is desired. Please note that with preview, the pipelines will pass regardless of any remediations that are produced.

image: gombocai/cli:1.0.13

pipelines:
  pull-requests:
    '**':
      - step:
          oidc: true
          name: 'Run Gomboc CLI'
          script:
          - if [ "${BITBUCKET_PR_DESTINATION_BRANCH}" != "main" ]; then printf 'not a target branch we want to check'; exit; fi
          - before=$(git rev-parse origin/$BITBUCKET_PR_DESTINATION_BRANCH)
          - after=$(git rev-parse origin/$BITBUCKET_BRANCH)
          - target_directories=$(for i in $(git diff --name-only --diff-filter=ACMRT $before $after) ; do dirname $i ; done | sort -u | xargs)
          - >
            if [ -z "$target_directories" ]; then
              echo -e "\033[0;31mNo changes detected\033[0m"
              exit 0
            fi
          - gomboc submit-for-review on-pull-request --auth-token $BITBUCKET_STEP_OIDC_TOKEN --target-directories $target_directories --pull-request $BITBUCKET_PR_ID --iac cloudformation terraform

Scheduled Pipeline

The Gomboc pipeline can be executed on a schedule to support detecting remediations in code that happen due to changes in IaC modules or improvements in Gomboc remediation coverage. To configure a scheduled pipeline, use the custom pipeline option in Bitbucket pipelines and set up your Gomboc pipeline following the instructions here. Note that the target_directoriesvariable must be modified to point to the folder in your IaC repository to scan for the pipeline to execute successfully.

image: gombocai/cli:1.0.13

pipelines:
  custom:
    'scheduled_Gomboc':
      - step:
          oidc: true
          name: 'Run Gomboc CLI'
          script:
          - |
            target_directories=("." "tf" "iac")
            gomboc submit-for-review on-schedule --auth-token $BITBUCKET_STEP_OIDC_TOKEN --target-directories "${target_directories[@]}" --iac cloudformation terraform
PreviousAzure Devops PipelinesNextCI Pipeline Configuration

Last updated