Edit

BitBucket Pipelines

To configure how different types of SCM actions trigger a scan in Gomboc see CI Pipeline Configuration.

Pull Request Pipeline

A BitBucket pipeline can use the following YAML to run the Gomboc CLI on every pull request to main, will only try to remediate directories with code differences. When running the the Gomboc cli command you can replace submit-for-review argument with preview if no pull request is desired. Please note that with preview, the pipelines will pass regardless of any remediations that are produced.

image: node:18

pipelines:
  pull-requests:
    '**':
      - step:
          name: "Run Gomboc CLI"
          oidc: true
          services:
            - docker
          script:
            - git fetch origin +refs/heads/*:refs/remotes/origin/*
            - before="$(git rev-parse origin/$BITBUCKET_PR_DESTINATION_BRANCH)"
            - after="$(git rev-parse origin/$BITBUCKET_BRANCH)"
            - echo "before $before"
            - echo "after $after"
            - target_directories=$(for i in $(git diff --name-only --diff-filter=ACMRT "$before" "$after") ; do dirname $i ; done | sort -u | xargs)
            - |
              if [ -z "$target_directories" ]; then
                echo -e "\033[0;31mNo changes detected\033[0m"
                exit 0
              fi
            - |
              docker run --rm --platform=linux/amd64 \
                -e FORCE_COLOR=3 \
                gombocai/cli:1.0.13 \
                sh -c "gomboc submit-for-review on-pull-request \
                  --auth-token $BITBUCKET_STEP_OIDC_TOKEN \
                  --target-directories \"$target_directories\" \
                  --pull-request $BITBUCKET_PR_ID \
                  --iac terraform cloudformation"

Scheduled Pipeline

The Gomboc pipeline can be executed on a schedule to support detecting remediations in code that happen due to changes in IaC modules or improvements in Gomboc remediation coverage. To configure a scheduled pipeline, use the custom pipeline option in Bitbucket pipelines and set up your Gomboc pipeline following the instructions here. Note that the values provided for the target_directoriesvariable is an example and must be modified to point to the folder in your IaC repository to scan for the pipeline to execute successfully.

image: node:18

pipelines:
  custom:
    'gomboc_scheduled':
      - step:
          oidc: true
          name: 'Run Gomboc CLI'
          script:
          - |
            target_directories=("." "tf" "iac")
            docker run --rm --platform=linux/amd64 \
                -e FORCE_COLOR=3 \
                gombocai/cli:1.0.13 \
                sh -c "gomboc submit-for-review on-schedule \
                  --auth-token $BITBUCKET_STEP_OIDC_TOKEN \
                  --target-directories \"${target_directories[@]}\" \
                  --pull-request $BITBUCKET_PR_ID \
                  --iac terraform cloudformation"
PreviousAzure Devops PipelinesNextCI Pipeline Configuration

Last updated