BitBucket CI
nctl
integrates and works with the BitBucket CI and allows scanning against security team-defined policies which ensures addressing of misconfigurations in the pipeline alongside other tests and vulnerability scanning. The nctl scan
step will trigger the scan. In case of a failure, the entire build can be configured to fail. This means that the test pipeline will fail, and the users will get quick feedback for their changes. The results of the pipeline are published to the NPM for viewing.
NPM provides insights to platform administrators on overall compliance of different code repositories in their organization. Learn more about BitBucket CI pipelines and their configuration from this official documentation.
Understanding the BitBucket CI Workflow
To see pipeline scanning with BitBucket CI in action:
Install nctl
in the BitBucket pipeline
Add the install nctl
build to the bitbucket-pipelines.yml
file in the repository. The build installs the nctl CLI and is stored as an artifact for future builds. The following code does that:
pipelines:
default:
- step:
name: 'install nctl'
script:
- echo "Installing nctl.."
- echo "Downloading and Installing NCTL 4.2.0"
- download_url="https://nirmata-downloads.s3.us-east-2.amazonaws.com/nctl/nctl_4.2.0/nctl_4.2.0_linux_amd64.zip"
- curl -L -o nctl.zip $download_url
- unzip -o nctl.zip
- echo "Verify Installation.."
- chmod 755 ./nctl
- ./nctl version
artifacts:
paths:
- nctl
Scan Repository files for misconfiguration
The nctl-scan-repo
build scans the configuration files available in the repository for any misconfigurations. The --policies
argument points to the directory containing security policies.
Note: The policies can also be stored in a different BitBucket repository. Refer to the sample list of policies here.
After the execution of this build, the pipeline will fail if there are misconfigurations which will force the developer to debug and fix the issue at the source.
- step: # This build scans config files for misconfigurations.
name: 'nctl-scan-repo' # It only starts when the build in the install stage completes successfully.
script:
- echo "Running nctl scan.."
- git remote set-url origin https://bitbucket.org/nirmata1/nctl-scan-demo/
- git checkout main # Checkout the branch of choice or use pipeline variables to specify the branch.
- ./nctl login --url https://staging.nirmata.co --userid <USER_ID> --token <API_TOKEN>
- ./nctl scan repository --policies Update
Note: Replace
<USER_ID>
and<API_TOKEN>
with the NPM ID and token respectively.
This pipeline runs in two stages: install-nctl
and scan
. Both can be visualized in the BitBucket UI. The image below represents the same.