Skip to main content
SafeDep now supports Bitbucket Cloud integration using Bitbucket Pipes. Using Pipes, SafeDep can be integrated into any Bitbucket CI/CD workflow.

Prerequisites

Bitbucket Account

Bitbucket account with access to your project

Repository

A source code repository to integrate SafeDep in pipelines.

Quick Start

1. Enable CI on Your Project

If you don’t already have a bitbucket-pipelines.yml, create one 
touch bitbucket-pipelines.yml

2. Add SafeDep in your pipeline

image: atlassian/default-image:3

pipelines:
  default:
    - step:
        name: Run vet pipe
        script:
          - pipe: safedep/vet-pipe:v1.2.0
That’s it. The default values will be used for dependency scanning. For policy customization and SafeDep Cloud integration, see the Inputs, Policy and Cloud Sync sections.

On Pull Request

vet-pipe includes a feature to scan only the packages changed within a Pull Request. However, this functionality relies on environment variables — such as BITBUCKET_PR_DESTINATION_BRANCH — which are only populated when using Bitbucket’s pull-requests pipeline trigger. To enable changed packages scanning for PRs while still supporting Push and Merge events, you must configure both the pull-requests and default (or branches) triggers. The most efficient way to implement this without code redundancy is as follows: 
image: atlassian/default-image:3

definitions:
  steps:
    - step: &safedep-vet-pipe
        name: "Execute Vet Scan Pipe"
        script:
          - pipe: safedep/vet-pipe:v1.2.0
          
pipelines:
  branches:
    main:
      - step: *safedep-vet-pipe
  pull-requests:
    '**':
      - step: *safedep-vet-pipe

Reports

vet-pipe supports Bitbucket Native Code Insights Reports, each Pull Request or Push has reports associated with them, the findings are attached to their respective files which are then visible in the Bitbucket UI. Bitbucket UI Demo Annotations

Inputs

vet-pipe accepts many inputs (aka variables) that you can specify when running the pipe.

Cloud Sync

Cloud Sync requires a subscription to SafeDep Cloud.
Cloud Sync synchronizes scan data and policy violations with SafeDep Cloud for centralized analysis, query and reporting. Set the following variables to enable cloud sync: 
image: atlassian/default-image:3

pipelines:
  default:
    - step:
        name: Run vet pipe
        script:
          - pipe: safedep/vet-pipe:v1.2.0
            variables:
              CLOUD: "true"
              CLOUD_KEY: $CLOUD_KEY
              CLOUD_TENANT: $CLOUD_TENANT
You can generate your CLOUD_KEY and CLOUD_TENANT values from https://app.safedep.io To create these:
  • Sign Up / Login to https://app.safedep.io
  • Create your Tenant
  • Go to Settings
  • Go to API Keys
  • Then create API Key

Policy Customization

Policy customization is optional. SafeDep Pipe comes with default policies.
Policy as Code treats security policies as configuration files that can be evaluated by tools to make runtime decisions. SafeDep Pipe comes with default policies. If you want to use your own policies, you can specify them using the POLICY variable. See Policy as Code for more details. 
image: alpine:latest

pipelines:
  default:
    - step:
        name: "Run Vet Scan"
        script:
          - pipe: safedep/vet-pipe:v1.2.0
            variables:
              POLICY: "./safedep/policy.yml"
When a policy violation occurs, the pipeline fails. To overwrite this, set SKIP_FILTER_CI_FAIL: "true" in variables, to skip fail when a policy violation happens.

Other Inputs

See the vet-pipe Bitbucket repo for more detail about other available inputs.

Artifact

Each vet execution produces a vet-report.json file, which is generated by applying the --report-json flag in the vet command. This generated file can be downloaded by setting the artifact property in bitbucket-pipelines.yml 
- step:
    name: "Run Vet Scan"
    script:
      - pipe: safedep/vet-pipe:v1.2.0
    artifacts:
      - vet-report.json
This file will be available to download at Pipelines > Select a Pipeline > Artifacts in the Bitbucket UI.

Support

Please raise an issue on the vet-pipe GitHub repo or the vet-pipe Bitbucket mirror for any support requests.