Skip to main content
SafeDep integrates with Bitbucket Cloud via Bitbucket Pipes, so you can add dependency scanning to any Bitbucket CI/CD pipeline.

Prerequisites

Bitbucket Account

Bitbucket account with access to your project

Repository

A source code repository to integrate SafeDep in pipelines.

Quick Start

1. Enable CI on Your Project

If you don’t already have a bitbucket-pipelines.yml, create one 
touch bitbucket-pipelines.yml

2. Add SafeDep in your pipeline

image: atlassian/default-image:3

pipelines:
  default:
    - step:
        name: Run vet pipe
        script:
          - pipe: safedep/vet-pipe:v1.2.0
That’s it. Default values are used for dependency scanning. For policy customization and SafeDep Cloud integration, see the Inputs, Policy, and Cloud Sync sections.

On Pull Request

vet-pipe includes a feature to scan only the packages changed within a Pull Request. However, this functionality relies on environment variables (such as BITBUCKET_PR_DESTINATION_BRANCH) that are only populated when using Bitbucket’s pull-requests pipeline trigger. To enable changed packages scanning for PRs while still supporting Push and Merge events, you must configure both the pull-requests and default (or branches) triggers. The most efficient way to implement this without code redundancy is as follows: 
image: atlassian/default-image:3

definitions:
  steps:
    - step: &safedep-vet-pipe
        name: "Execute Vet Scan Pipe"
        script:
          - pipe: safedep/vet-pipe:v1.2.0
          
pipelines:
  branches:
    main:
      - step: *safedep-vet-pipe
  pull-requests:
    '**':
      - step: *safedep-vet-pipe

Reports

vet-pipe supports Bitbucket Native Code Insights Reports. Each Pull Request or Push gets a report, and findings are attached to their respective files and visible in the Bitbucket UI. Bitbucket UI Demo Annotations

Inputs

vet-pipe accepts the following variables.

Cloud Sync

Cloud Sync requires a subscription to SafeDep Cloud.
Cloud Sync synchronizes scan data and policy violations with SafeDep Cloud for centralized analysis, query and reporting. Set the following variables to enable cloud sync: 
image: atlassian/default-image:3

pipelines:
  default:
    - step:
        name: Run vet pipe
        script:
          - pipe: safedep/vet-pipe:v1.2.0
            variables:
              CLOUD: "true"
              CLOUD_KEY: $CLOUD_KEY
              CLOUD_TENANT: $CLOUD_TENANT
You can generate your CLOUD_KEY and CLOUD_TENANT values from https://app.safedep.io To create these:
  • Sign Up / Login to https://app.safedep.io
  • Create your Tenant
  • Go to Settings
  • Go to API Keys
  • Then create API Key

Policy Customization

Policy customization is optional. SafeDep Pipe comes with default policies.
Policy as Code treats security policies as configuration files evaluated by tools to make runtime decisions. To use your own policies, specify them with the POLICY variable. See Policy as Code for more details. 
image: alpine:latest

pipelines:
  default:
    - step:
        name: "Run Vet Scan"
        script:
          - pipe: safedep/vet-pipe:v1.2.0
            variables:
              POLICY: "./safedep/policy.yml"
When a policy violation occurs, the pipeline fails. To overwrite this, set SKIP_FILTER_CI_FAIL: "true" in variables, to skip fail when a policy violation happens.

Other Inputs

See the vet-pipe Bitbucket repo for more detail about other available inputs.

Artifact

Each vet execution produces a vet-report.json file via the --report-json flag. To make this file downloadable, set the artifacts property in bitbucket-pipelines.yml: 
- step:
    name: "Run Vet Scan"
    script:
      - pipe: safedep/vet-pipe:v1.2.0
    artifacts:
      - vet-report.json
This file will be available to download at Pipelines > Select a Pipeline > Artifacts in the Bitbucket UI.

Support

Raise an issue on the vet-pipe GitHub repo or the vet-pipe Bitbucket mirror.