Skip to main content

Integrate agents with Atlassian BitBucket

You can create a Veracode SCA agent that scans your repositories as an automated task in your Bitbucket pipeline.

Prerequisites

Depending on the build and package managers your repositories use, your agent host has specific requirements depending on the language scanned. To view the requirements, see the code language in Finding and fixing vulnerabilities.

Create your authentication token

By default, the agent you create is only visible to members of the workspace in which you created the agent. To allow visibility, invite teams to your workspace.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. Select Agents > Actions > Create > Bitbucket Pipelines.
  5. Select Create Agent & Generate Token.
  6. Copy the value in the token field. You use the token to authenticate with Veracode SCA during scans.

Configure your environment variable

You can set the environment variable for scanning at either the account or repository levels.

To complete this task:

  1. In Bitbucket, go to Account > Bitbucket Settings.
  2. Select an individual account or a team for which you want to configure variables.
  3. From the left navigation, select Pipelines > Environment variables.
  4. For Type variable, enter SRCCLR_API_TOKEN.
  5. For Type value, paste your API token.
  6. Verify the Secured checkbox is selected.
  7. Select Add.

Configure a repository environment variable

Environment variables added on the repository level can be accessed by any users with the push permission in the repository. You can set a repository environment variable to perform scans on each new build.

To complete this task:

  1. In Bitbucket, go to the repository you want to scan and select Settings > Pipelines > Environment variables.
  2. For Type variable, enter SRCCLR_API_TOKEN.
  3. For Type value, paste your API token.
  4. Verify the Secured checkbox is selected.
  5. Select Add.

Configure your repos

To scan your repos, add the following YAML to the last default configuration script command in the bitbucket-pipelines.yml file:

 pipelines:
  default:
    - step:
        script:
            - curl -sSL https://sca-downloads.veracode.com/ci.sh | sh

Commit these changes to trigger a build for your repository, and Veracode SCA performs a scan and displays results to your environment.

If you want to scan other repositories, add the installation code above to any bitbucket-pipelines.yml files you want.

After you add the SRCCLR_API_TOKEN environment variable, you can perform scans on each new build.

Last updated on