BitBucket

Integration Setup

To configure the BitBucket integration, follow these steps (either during the onboarding wizard, or once you have access to the Gomboc platform):

1. Go to Settings > Integrations > BitBucket

1. Click on your profile drop down in the top right corner and access your Gomboc settings and create a personal or workspace token.

1. Once the Gomboc token is created copy the generated token.

2. Click on the BitBucket integration button to open the form for creating the integration

3. Paste in the generated Gomboc token under the input Gomboc Access Token

4. In BitBucket, go to your workspace settings to create an access token Workspace Access Token that has Repositories (Read & Write), Pull requests (Read & Write), and Webhooks (Read & Write) permissions. Once generated, copy the workspace access token. Also keep in mind the workspace ID, which can be found within your workspace settings as well.

5. You can now complete the integration form by inputting your Workspace ID and copied workspace access token from BitBucket

3. Click "Integrate" to complete the initial SCM integration. Please note that we do create a workspace webhook to complete the integration and keep track of PR's that we have opened.

CI/CD

Pull Request Pipeline

A BitBucket pipeline can use the following yaml to run the Gomboc CLI on every pull request to main, will only try to remediate directories with code differences. When running the the Gomboc cli command you can replace submit-for-review argument with preview if no pull request is wanted. Please note that with preview, the pipelines will pass, regardless of any remediations we find.

image: gombocai/cli:latest

pipelines:
  pull-requests:
    '**':
      - step:
          oidc: true
          name: 'Run Gomboc CLI'
          script:
          - if [ "${BITBUCKET_PR_DESTINATION_BRANCH}" != "main" ]; then printf 'not a target branch we want to check'; exit; fi
          - before=$(git rev-parse origin/$BITBUCKET_PR_DESTINATION_BRANCH)
          - after=$(git rev-parse origin/$BITBUCKET_BRANCH)
          - target_directories=$(for i in $(git diff --name-only --diff-filter=ACMRT $before $after) ; do dirname $i ; done | sort -u | xargs)
          - >
            if [ -z "$target_directories" ]; then
              echo -e "\033[0;31mNo changes detected\033[0m"
              exit 0
            fi
          - gomboc terraform remediate remote submit-for-review --auth-token $BITBUCKET_STEP_OIDC_TOKEN --target-directories $target_directories --pull-request $BITBUCKET_PR_ID

Scheduled Pipeline

The Gomboc pipeline can be executed on a schedule to support detecting remediations in code that happen due to changes in IaC modules or improvements in Gomboc remediation coverage. To configure a scheduled pipeline, use the custom pipeline option in Bitbucket pipelines and set up your Gomboc pipeline following the instructions here. Note that the target_directoriesvariable must be modified to point to the folder in your IaC repository to scan for the pipeline to execute successfully.

image: gombocai/cli:latest

pipelines:
  custom:
    'scheduled_Gomboc': 
      - step:
          oidc: true
          name: 'Run Gomboc CLI'
          script:      
          - |
            target_directories=("." "tf" "iac")
            gomboc terraform remediate remote submit-for-review --auth-token $BITBUCKET_STEP_OIDC_TOKEN --target-directories "${target_directories[@]}"