Gomboc User Docs
  • Welcome
  • Getting Started
    • Access & Log in
    • Initial Set up
    • Free Trial Setup Guide
  • Integrations
    • Domains & IPs
    • Cloud Security Posture Management (CSPM)
      • Orca Security
      • Wiz
    • Source Code Management (SCM)
      • Azure Devops
      • GitHub
      • GitLab
      • BitBucket
    • VSCode Plugin
  • API
  • Configuration
    • Browser Settings
    • Authentication - Pwdless & SSO
    • User Management
  • Remediation Process
  • Security Status
  • Scan Results
  • Troubleshooting
  • Data Architecture & Flows
  • Glossary
Powered by GitBook
On this page
  • Integration Setup
  • CI/CD
  • Pull Request Pipeline
  • Scheduled Pipeline
Edit on GitHub
  1. Integrations
  2. Source Code Management (SCM)

BitBucket

PreviousGitLabNextVSCode Plugin

Last updated 1 month ago

Integration Setup

To configure the BitBucket integration, follow these steps (either during the onboarding wizard, or once you have access to the Gomboc platform):

  1. Go to Settings > Integrations > BitBucket

  1. Click on your profile drop down in the top right corner and access your Gomboc settings and create a personal or workspace token.

  1. Once the Gomboc token is created copy the generated token.

  2. Click on the BitBucket integration button to open the form for creating the integration

  3. Paste in the generated Gomboc token under the input Gomboc Access Token

  5. You can now complete the integration form by inputting your Workspace ID and copied workspace access token from BitBucket

3. Click "Integrate" to complete the initial SCM integration. Please note that we do create a workspace webhook to complete the integration and keep track of PR's that we have opened.

CI/CD

Pull Request Pipeline

A BitBucket pipeline can use the following yaml to run the Gomboc CLI on every pull request to main, will only try to remediate directories with code differences. When running the the Gomboc cli command you can replace submit-for-review argument with preview if no pull request is wanted. Please note that with preview, the pipelines will pass, regardless of any remediations we find.

image: gombocai/cli:1.0.4

pipelines:
  pull-requests:
    '**':
      - step:
          oidc: true
          name: 'Run Gomboc CLI'
          script:
          - if [ "${BITBUCKET_PR_DESTINATION_BRANCH}" != "main" ]; then printf 'not a target branch we want to check'; exit; fi
          - before=$(git rev-parse origin/$BITBUCKET_PR_DESTINATION_BRANCH)
          - after=$(git rev-parse origin/$BITBUCKET_BRANCH)
          - target_directories=$(for i in $(git diff --name-only --diff-filter=ACMRT $before $after) ; do dirname $i ; done | sort -u | xargs)
          - >
            if [ -z "$target_directories" ]; then
              echo -e "\033[0;31mNo changes detected\033[0m"
              exit 0
            fi
          - gomboc submit-for-review on-pull-request --auth-token $BITBUCKET_STEP_OIDC_TOKEN --target-directories $target_directories --pull-request $BITBUCKET_PR_ID --iac cloudformation terraform

Scheduled Pipeline

image: gombocai/cli:1.0.4

pipelines:
  custom:
    'scheduled_Gomboc':
      - step:
          oidc: true
          name: 'Run Gomboc CLI'
          script:
          - |
            target_directories=("." "tf" "iac")
            gomboc submit-for-review on-schedule --auth-token $BITBUCKET_STEP_OIDC_TOKEN --target-directories "${target_directories[@]}" --iac cloudformation terraform

In BitBucket, go to your workspace settings to create an access token that has Repositories (Read & Write), Pull requests (Read & Write), and Webhooks (Read & Write) permissions. Once generated, copy the workspace access token. Also keep in mind the workspace ID, which can be found within your workspace settings as well.

The Gomboc pipeline can be executed on a schedule to support detecting remediations in code that happen due to changes in IaC modules or improvements in Gomboc remediation coverage. To configure a scheduled pipeline, use the custom pipeline option in Bitbucket pipelines and set up your Gomboc pipeline following the instructions . Note that the target_directoriesvariable must be modified to point to the folder in your IaC repository to scan for the pipeline to execute successfully.

Workspace Access Token
here