- Checkmarx Documentation
- Checkmarx One
- Checkmarx One Integrations
- CI/CD Integrations
- Checkmarx One CLI Integrations for CI/CD
- Checkmarx One Bitbucket Pipelines Integration
Checkmarx One Bitbucket Pipelines Integration
You can integrate Checkmarx One into your Bitbucket pipelines using our CLI Tool. You can run Checkmarx One scans as well as perform other Checkmarx One commands using the CLI Tool.
Prerequisites
You have a Checkmarx One account and you have an OAuth Client or API Key for Checkmarx One authentication. To generate the required authentication, see Authentication for Checkmarx One CLI and Plugins.
Notice
The OAuth method has an advantage in the fact that you can specify the precise permissions needed for the integration. As opposed to an API Key, which automatically inherits all permissions of the user who generates the key.
Initial Setup
Before running Checkmarx One CLI commands in your Bitbucket pipelines, you need to configure access to Checkmarx One. This is done by specifying the server URLs, tenant account, and authentication credentials for accessing your Checkmarx One environment.
In your Bitbucket console, in the main navigation click on Repository settings > Repository variables.
Create variables for each of the items shown in the table below by entering a Name for the variable and its Value and then clicking Add.
Warning
Make sure you keep the authentication variables are marked as Secured.
Repository Variables
Key | Value |
---|---|
BASE_URI |
|
BASE_AUTH_URI |
|
TENANT | The name of your tenant account. |
Use one of the following authentication methods. | |
OAuth CLIENT_ID and SECRET (Recommended method) | These values are obtained from the Checkmarx One web application, see Creating an OAuth Client for Checkmarx One Integrations. |
API_KEY | This is obtained from the Checkmarx One web application, see Generating an API Key. |
Running CLI Commands in Bitbucket
You can use CLI commands to run scans, retrieve scan results and perform CRUD actions on your Checkmarx One Projects and Applications. For an explanation of the CLI commands, see Checkmarx One CLI Commands.
You can run our CLI Tool either using our image checkmarx/ast-cli
(recommended) or you can use the Bitbucket base image and brew. See examples below.
Usage Example - Running a Checkmarx One Scan in Bitbucket
The following snippet shows how you can run a Checkmarx One scan in Bitbucket using our CLI Tool.
The snippet uses the scan create
command with the minimum required parameters -s
(location of the source code), --project-name
(name of the Checkmarx One Project), and --branch
(name of the branch of the Checkmarx One Project) as well as the repository variables that you configured for connecting to Checkmarx One. We also recommend using the --agent
flag with the value Bitbucket
.
Warning
When running SCA Resolver as part of the scan, we recommend using the 2nd option shown below with some modifications related to SCA Resolver. An example of the script is available here.
Option 1 (recommended): Use the Checkmarx One CLI docker image to trigger the scan:
image: checkmarx/ast-cli pipelines: default: - step: script: - >- /app/bin/cx scan create -s . --agent Bitbucket --project-name $BITBUCKET_REPO_SLUG --branch $BITBUCKET_BRANCH --base-uri $BASE_URI --base-auth-uri $BASE_AUTH_URI --tenant $TENANT --client-id $CLIENT_ID --client-secret $CLIENT_SECRET
Option 2: Use the Bitbucket base image and brew to install the Checkmarx One CLI and trigger the scan:
image: atlassian/default-image:2 pipelines: default: - step: script: - /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" - /home/linuxbrew/.linuxbrew/bin/brew install checkmarx/ast-cli/ast-cli - >- /home/linuxbrew/.linuxbrew/Cellar/ast-cli/*/bin/cx scan create -s . --agent Bitbucket --project-name $BITBUCKET_REPO_SLUG --branch $BITBUCKET_BRANCH --base-uri $BASE_URI --base-auth-uri $BASE_AUTH_URI --tenant $TENANT --client-id $CLIENT_ID --client-secret $CLIENT_SECRET
Notice
Check for updates to the code samples in GitHub.