Skip to main content

Overview

Run automated security and code quality scanning on your repository with comprehensive analysis, vulnerability detection, and detailed insights. Reference Repository: ci-scan-codeant

Features

  • 🛡️ Automated security and code quality scanning
  • 🔍 Deep code analysis and vulnerability detection
  • 📊 Detailed reports and insights
  • ⚡ Fast and easy integration

Setup

1. Get Your Repository Access Token

  1. Go to your repository Settings
  2. Navigate to Security > Access tokens
  3. Click Create repository access token
  4. Select permissions:
    • Repositories: Read, Write (allow repository read/write access)
    • Pull requests: Read, Write (allow pull request read/write access)
    • Verify the created token shows the repository and pull-request scopes needed by your pipeline (or App Password equivalents).
  5. Copy the generated token

2. Configure Repository Variables

Before using the pipe, configure these repository variables in Repository Settings → Pipelines → Repository variables:
  • BITBUCKET_ACCESS_TOKEN - Your Bitbucket Repository Access Token (set this as a repository variable). Note: pipeline examples reference ACCESS_TOKEN — ensure you assign ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN in your pipeline steps or set ACCESS_TOKEN directly as a repository variable.

Basic Usage

Example 1: Run CI Scan on Every Push

image: atlassian/default-image:3

pipelines:
  default:
    - step:
        name: CodeAnt CI Scan
        script:
          - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
            variables:
              ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN

Example 2: Run CI Scan on Pull Requests Only

image: atlassian/default-image:3

pipelines:
  pull-requests:
    '**':
      - step:
          name: CodeAnt CI Scan
          script:
            - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
              variables:
                ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN
                API_BASE: "https://api.codeant.ai"

Example 3: Branch-Specific Scanning

image: atlassian/default-image:3

pipelines:
  branches:
    main:
      - step:
          name: CodeAnt CI Scan
          script:
            - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
              variables:
                ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN

    develop:
      - step:
          name: CodeAnt CI Scan
          script:
            - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
              variables:
                ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN
                EXCLUDE_PATHS: 'tests,experimental'

Example 4: Custom File Filtering with Timeout and Scanners

- step:
    name: CodeAnt CI Scan
    script:
      - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
        variables:
          ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN
          API_BASE: 'https://api.codeant.ai'
          SCANNERS: 'sast,secrets'
          INCLUDE_PATHS: 'src,lib'
          EXCLUDE_PATHS: 'tests,docs'
          TIMEOUT: '900'              # 15 minutes
          POLLING_INTERVAL: '45'      # Poll every 45 seconds

Example 5: Manual Trigger Pipeline

image: atlassian/default-image:3

pipelines:
  custom:
    security-scan:
      - step:
          name: CodeAnt CI Scan
          script:
            - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
              variables:
                ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN

Configuration Variables

VariableRequiredDefaultDescription
ACCESS_TOKENYes-Bitbucket access token used by the pipeline (set this to $BITBUCKET_ACCESS_TOKEN repository variable or populate ACCESS_TOKEN directly in repo variables).
API_BASENohttps://api.codeant.aiBase URL for CodeAnt API
SCANNERSNosast,scaComma-separated list of scanners to run (e.g., all, sast, sast,sca,secrets)
INCLUDE_PATHSNo''Comma-separated paths to include in scan (e.g., src,lib)
EXCLUDE_PATHSNo''Comma-separated paths to exclude from scan (e.g., tests,docs)
TIMEOUTNo300Maximum time in seconds to wait for scan results
POLLING_INTERVALNo30Time in seconds between polling attempts

Scanner Options

🔍 Available Scanners: The SCANNERS variable allows you to customize which security scanners run during analysis:
  • sast - Static Application Security Testing (code vulnerabilities)
  • sca - Software Composition Analysis (dependency vulnerabilities)
  • secrets - Secret detection (API keys, passwords, tokens)
  • antipatterns - Code quality and duplicate code detection
  • iac - Infrastructure as Code security (Terraform, CloudFormation, etc.)
  • all - Run all available scanners
Default: If not specified, runs sast,sca Examples:
  • Run all scanners: SCANNERS: 'all'
  • Only SAST: SCANNERS: 'sast'
  • SAST + Secrets: SCANNERS: 'sast,secrets'
  • Full security suite: SCANNERS: 'sast,sca,secrets,iac'

Scanner Configuration Examples

Run All Scanners

- step:
    name: CodeAnt CI Scan (All Scanners)
    script:
      - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
        variables:
          ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN
          SCANNERS: 'all'

Security-Focused Scan

- step:
    name: CodeAnt CI Scan (Security Only)
    script:
      - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
        variables:
          ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN
          SCANNERS: 'sast,secrets'

How It Works

  1. Download script We fetch a small Bash helper (start_scan.sh) from the CodeAnt CI endpoint.
  2. Make it runnable Mark the script executable so you can invoke it directly.
  3. Invoke the scan The script POSTs your repo, commit, and file-globs to /analysis/ci/scan, using your token for auth.
  4. Pipeline feedback
    • On success, you’ll see a parsed JSON response in the job log.
    • On failure (non-2xx HTTP), the script exits non-zero, failing your pipeline immediately.
With this in place, every push will automatically kick off a CodeAnt analysis run—and your CI status will reflect whether any HIGH-severity issues were detected.

Execution Time Considerations

⏱️ Performance Options:
  • Default behavior (with result waiting): ~5-7 minutes
    • Triggers scan and waits for complete analysis results
    • Includes both security and SCA (Software Composition Analysis) results
    • Best for comprehensive CI/CD pipelines where you need immediate feedback
  • Custom timeout settings: Adjust based on repository size
    • Use TIMEOUT: '900' (15 minutes) for larger repositories
    • Use POLLING_INTERVAL: '45' to reduce API polling frequency
    • Results can also be viewed in the CodeAnt dashboard
Tip: For larger repositories or comprehensive scans, increase the timeout to avoid premature pipeline failures while the analysis completes. You can also customize scanners using the SCANNERS variable for targeted or comprehensive security analysis.

Troubleshooting

Pipeline Fails Immediately

Issue: Pipeline fails with “ACCESS_TOKEN is required but not set” Solution: Ensure you’ve set BITBUCKET_ACCESS_TOKEN in your repository variables and it’s marked as secured.

Scan Failures

Issue: Scan fails or returns errors Solution: Verify your repository is accessible, check the API base URL is correct, and review pipeline logs for specific error messages.

Authentication Errors

Issue: Authentication errors during scan Solution: Verify your ACCESS_TOKEN is valid, has necessary permissions, and is not expired.

Pipe Not Found

Issue: Cannot pull the Docker image Solution: Verify the pipe image path docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest is correct and your workspace has access to pull public Docker images.

Support

License

MIT License - see LICENSE file for details