Bitbucket Pipelines - CodeAnt AI

Overview

Run automated security and code quality scanning on your repository with comprehensive analysis, vulnerability detection, and detailed insights. Reference Repository: ci-scan-codeant

Features

🛡️ Automated security and code quality scanning
🔍 Deep code analysis and vulnerability detection
📊 Detailed reports and insights
⚡ Fast and easy integration

Setup

1. Create a CodeAnt Token

In CodeAnt AI, open the user menu (click your email at the bottom-left) and select API Tokens, click Create token, and copy the generated token (it starts with cdt_ and is shown only once). See API Tokens for the full walkthrough. This single token authenticates the scan — you don’t need a Bitbucket access token or app password.

2. Configure Repository Variables

Before using the pipe, configure this repository variable in Repository Settings → Pipelines → Repository variables:

CODEANT_TOKEN - Your CodeAnt token (cdt_…). Note: pipeline examples reference ACCESS_TOKEN — ensure you assign ACCESS_TOKEN: $CODEANT_TOKEN in your pipeline steps or set ACCESS_TOKEN directly as a repository variable.

Basic Usage

Example 1: Run CI Scan on Every Push

image: atlassian/default-image:3

pipelines:
  default:
    - step:
        name: CodeAnt CI Scan
        script:
          - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
            variables:
              ACCESS_TOKEN: $CODEANT_TOKEN

Example 2: Run CI Scan on Pull Requests Only

image: atlassian/default-image:3

pipelines:
  pull-requests:
    '**':
      - step:
          name: CodeAnt CI Scan
          script:
            - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
              variables:
                ACCESS_TOKEN: $CODEANT_TOKEN
                API_BASE: "https://api.codeant.ai"

Example 3: Branch-Specific Scanning

image: atlassian/default-image:3

pipelines:
  branches:
    main:
      - step:
          name: CodeAnt CI Scan
          script:
            - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
              variables:
                ACCESS_TOKEN: $CODEANT_TOKEN

    develop:
      - step:
          name: CodeAnt CI Scan
          script:
            - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
              variables:
                ACCESS_TOKEN: $CODEANT_TOKEN
                EXCLUDE_PATHS: 'tests,experimental'

Example 4: Custom File Filtering with Timeout and Scanners

- step:
    name: CodeAnt CI Scan
    script:
      - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
        variables:
          ACCESS_TOKEN: $CODEANT_TOKEN
          API_BASE: 'https://api.codeant.ai'
          SCANNERS: 'sast,secrets'
          INCLUDE_PATHS: 'src,lib'
          EXCLUDE_PATHS: 'tests,docs'
          TIMEOUT: '900'              # 15 minutes
          POLLING_INTERVAL: '45'      # Poll every 45 seconds

Example 5: Manual Trigger Pipeline

image: atlassian/default-image:3

pipelines:
  custom:
    security-scan:
      - step:
          name: CodeAnt CI Scan
          script:
            - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
              variables:
                ACCESS_TOKEN: $CODEANT_TOKEN

Configuration Variables

Variable	Required	Default	Description
`CODEANT_TOKEN`	Yes	-	CodeAnt API token (`cdt_…`) for authentication — see API Tokens (set as repository variable and pass as `ACCESS_TOKEN: $CODEANT_TOKEN` in pipeline)
`API_BASE`	No	`https://api.codeant.ai`	Base URL for CodeAnt API
`SCANNERS`	No	`sast,sca`	Comma-separated list of scanners to run (e.g., `all`, `sast`, `sast,sca,secrets`)
`INCLUDE_PATHS`	No	`''`	Comma-separated paths to include in scan (e.g., `src,lib`)
`EXCLUDE_PATHS`	No	`''`	Comma-separated paths to exclude from scan (e.g., `tests,docs`)
`TIMEOUT`	No	`300`	Maximum time in seconds to wait for scan results
`POLLING_INTERVAL`	No	`30`	Time in seconds between polling attempts
`QUALITY_GATE`	No	`false`	Fail the pipeline if the whole-repo quality gate does not pass. Writes `results.json`, `codeant.sarif`, `codeant-qg.xml`

Quality Gate Enforcement

🚦 Block the pipeline on the whole-repository posture: Set QUALITY_GATE: 'true' to turn the scan into an enforced gate. After the scan completes, CodeAnt evaluates the entire repository against your thresholds and the pipeline fails if the gate does not pass. This is the Checkmarx / SonarQube-style whole-repo gate, independent of the new-code/PR quality gate. Configure thresholds in Settings → Code Analysis → Quality Gates using the “(Full Code / CI Pipeline)” metrics (these run only in the pipeline, never on pull requests):

(Full Code / CI Pipeline) SAST Security Rating ≤ C
(Full Code / CI Pipeline) SCA Security Rating ≤ C
(Full Code / CI Pipeline) IaC Security Rating ≤ C
(Full Code / CI Pipeline) Duplicate Code Percentage > 30

Results group into three status checks: SAST (app security + IaC), SCA (dependencies), and SCR (duplicate code). The gate writes codeant.sarif (SARIF 2.1.0), codeant-qg.xml (JUnit), and results.json (full verdict + findings).

- step:
    name: CodeAnt Quality Gate
    script:
      - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
        variables:
          ACCESS_TOKEN: $CODEANT_TOKEN
          SCANNERS: 'all'
          QUALITY_GATE: 'true'
    artifacts:
      - results.json
      - codeant.sarif
      - codeant-qg.xml

Scanner Options

🔍 Available Scanners: The SCANNERS variable allows you to customize which security scanners run during analysis:

sast - Static Application Security Testing (code vulnerabilities)
sca - Software Composition Analysis (dependency vulnerabilities)
secrets - Secret detection (API keys, passwords, tokens)
antipatterns - Code quality and duplicate code detection
iac - Infrastructure as Code security (Terraform, CloudFormation, etc.)
all - Run all available scanners

Default: If not specified, runs sast,sca Examples:

Run all scanners: SCANNERS: 'all'
Only SAST: SCANNERS: 'sast'
SAST + Secrets: SCANNERS: 'sast,secrets'
Full security suite: SCANNERS: 'sast,sca,secrets,iac'

Scanner Configuration Examples

Run All Scanners

- step:
    name: CodeAnt CI Scan (All Scanners)
    script:
      - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
        variables:
          ACCESS_TOKEN: $CODEANT_TOKEN
          SCANNERS: 'all'

Security-Focused Scan

- step:
    name: CodeAnt CI Scan (Security Only)
    script:
      - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
        variables:
          ACCESS_TOKEN: $CODEANT_TOKEN
          SCANNERS: 'sast,secrets'

How It Works

Download script We fetch a small Bash helper (start_scan.sh) from the CodeAnt CI endpoint.
Make it runnable Mark the script executable so you can invoke it directly.
Invoke the scan The script POSTs your repo, commit, and file-globs to /analysis/ci/scan, using your token for auth.
Pipeline feedback
- On success, you’ll see a parsed JSON response in the job log.
- On failure (non-2xx HTTP), the script exits non-zero, failing your pipeline immediately.

With this in place, every push will automatically kick off a CodeAnt analysis run—and your CI status will reflect whether any HIGH-severity issues were detected.

Execution Time Considerations

⏱️ Performance Options:

Default behavior (with result waiting): ~5-7 minutes
- Triggers scan and waits for complete analysis results
- Includes both security and SCA (Software Composition Analysis) results
- Best for comprehensive CI/CD pipelines where you need immediate feedback
Custom timeout settings: Adjust based on repository size
- Use TIMEOUT: '900' (15 minutes) for larger repositories
- Use POLLING_INTERVAL: '45' to reduce API polling frequency
- Results can also be viewed in the CodeAnt dashboard

Tip: For larger repositories or comprehensive scans, increase the timeout to avoid premature pipeline failures while the analysis completes. You can also customize scanners using the SCANNERS variable for targeted or comprehensive security analysis.

Troubleshooting

Pipeline Fails Immediately

Issue: Pipeline fails with “ACCESS_TOKEN is required but not set” Solution: Ensure you’ve set CODEANT_TOKEN in your repository variables and it’s marked as secured.

Scan Failures

Issue: Scan fails or returns errors Solution: Verify your repository is accessible, check the API base URL is correct, and review pipeline logs for specific error messages.

Authentication Errors

Issue: Authentication errors during scan Solution: Verify your CODEANT_TOKEN holds a valid CodeAnt token (cdt_…) that hasn’t been revoked and belongs to the same organization as the repository. You can re-issue tokens under API Tokens (in the user menu — your email at the bottom-left) in CodeAnt AI — see API Tokens.

Pipe Not Found

Issue: Cannot pull the Docker image Solution: Verify the pipe image path docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest is correct and your workspace has access to pull public Docker images.

Support

📧 Email: support@codeant.ai
📚 Documentation: https://docs.codeant.ai
🐛 Repository: https://bitbucket.org/codeantworkspace/ci-scan-codeant/src/main/

License

MIT License - see LICENSE file for details

​Overview

​Features

​Setup

​1. Create a CodeAnt Token

​2. Configure Repository Variables

​Basic Usage

​Example 1: Run CI Scan on Every Push

​Example 2: Run CI Scan on Pull Requests Only

​Example 3: Branch-Specific Scanning

​Example 4: Custom File Filtering with Timeout and Scanners

​Example 5: Manual Trigger Pipeline

​Configuration Variables

​Quality Gate Enforcement

​Scanner Options

​Scanner Configuration Examples

​Run All Scanners

​Security-Focused Scan

​How It Works

​Execution Time Considerations

​Troubleshooting

​Pipeline Fails Immediately

​Scan Failures

​Authentication Errors

​Pipe Not Found

​Support

​License