You already have an Node project that is configured with Bitbucket CI/CD pipielines but want to introduce security scanning to stop your builds if it detects a security vulnerability.
Use Snyk, a security vulnerability scanning tool.
- Create an account with Snyk.io
- Follow the the integration on the Snyk website to connect your Bitbucket repository as a project
- Log into your Snyk account
- On the bottom left click your user name
- Click Account Settings
- Click General
- Under Auth Token you should see an auth token item
- Click click to show to reveal and copy the auth token
- Log into your Bitbucket account
- Click on your repository
- On the bottom left, click Repository Settings
- On the left panel look for the section called PIPELINES
- Under PIPELINES section, click Repository variables
- Locate the empty text fields labeled Name and Value
- In the Name text field, enter SNYK_TOKEN
- In the Value text field, paste in your user Auth Token you copied from your Snyk account
- Ensure the Secured checkbox is checked
- Click Add
- Log into your Snyk account
- On the left panel under ORGANIZATION, click Settings
- Under Organization ID section, copy your organization ID
- Log into your Bitbucket account
- Click on your repository
- On the bottom left, click Repository Settings
- On the left panel look for the section called PIPELINES
- Under PIPELINES section, click Repository variables
- Locate the empty text fields labeled Name and Value
- In the Name text field, enter SNYK_ORG_ID
- In the Value text field, paste in your user Organization ID you copied from your Snyk account
- Ensure the Secured checkbox is checked
- Click Add
- Log into your Bitbucket account
- Click on your repository
- On the bottom left, click Repository Settings
- On the left panel look for the section called PIPELINES
- Under PIPELINES section, click Repository variables
- Locate the empty text fields labeled Name and Value
- In the Name text field, enter SNYK_PROJECT_NAME
- In the Value text field, type your desired project name (I used the same name as my repo)
- Ensure the Secured checkbox is checked
- Click Add
-
Open your repositories Bitbucket Pipeline YML file
-
Under
definitions:andsteps:add the following code- step: &snyk_security_scan name: Snyk Security Scan # Vulnerability Scanning caches: - node script: - npm install -g snyk - snyk auth $SNYK_TOKEN - snyk monitor --org=$SNYK_ORG_ID --project-name=$SNYK_PROJECT_NAME --severity-threshold=low # Sends report to Snyk WebUI - snyk test --org=$SNYK_ORG_ID --project-name=$SNYK_PROJECT_NAME --severity-threshold=low # Stops build if fails
After adding this, this step is defined and you can now call it anywhere you’d like within your Pipeline section.
The snyk mointor will scan and send the report to your Snyk account for you to inspect in your the results but won’t stop your pipeline if theres vulnerabilities.
The snyk test command WILL stop your build if it detects vulnerabilities.
Add the following step anywhere under your pipelines: section that you would like to run snyk security scans
- step: *snyk_security_scanView this bitbucket-pipelines.yml example which shows how it's supposed to look like in your environment.
By implementing the above Snyk and Bitbucket configurations, you will be able to have your CI/CD pipeline run vulnerability checks against your code.
Depending on how you configure Bitbucket and Synk notifications, you can receive a failed build alert from Bitbucket and an alert from Synk if it detected a vulnerability in your code.