> ## Documentation Index > Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt > Use this file to discover all available pages before exploring further. # Bitbucket Pipelines > Set up CodeAnt CI security and code quality analysis in your Bitbucket pipeline. ## Overview Run automated security and code quality scanning on your repository with comprehensive analysis, vulnerability detection, and detailed insights. **Reference Repository**: [ci-scan-codeant](https://bitbucket.org/codeantworkspace/ci-scan-codeant/src/main/) ## Features * πŸ›‘οΈ Automated security and code quality scanning * πŸ” Deep code analysis and vulnerability detection * πŸ“Š Detailed reports and insights * ⚑ Fast and easy integration ## Setup ### 1. Get Your Access Token Bitbucket supports two token scopes β€” use whichever fits your setup: | Token Type | Best For | Where to Create | | --------------------------- | ------------------------ | -------------------------------------------------- | | **Repository Access Token** | Single repository | Repository **Settings β†’ Security β†’ Access tokens** | | **Workspace Access Token** | All repos in a workspace | Workspace **Settings β†’ Security β†’ Access tokens** | **Repository Access Token** (repo-level): 1. Go to your repository **Settings** 2. Navigate to **Security > Access tokens** 3. Click **Create repository access token** 4. Select permissions: * **Repositories**: Read, Write (allow repository read/write access) * **Pull requests**: Read, Write (allow pull request read/write access) 5. Copy the generated token **Workspace Access Token** (workspace-level): 1. Go to your workspace **Settings** 2. Navigate to **Security > Access tokens** 3. Click **Create workspace access token** 4. Select the same permissions as above 5. Copy the generated token Bitbucket access token scopes > **Note:** Do **not** use an **Atlassian API Token** (generated at [id.atlassian.com](https://id.atlassian.com)) β€” that token authenticates with Jira Cloud, Confluence Cloud, and Jira Align only, and will **not** work with Bitbucket. See [Atlassian docs](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/). Use a **Bitbucket Repository Access Token** or **Workspace Access Token** instead. ### 2. Configure Repository Variables Before using the pipe, configure these repository variables in **Repository Settings β†’ Pipelines β†’ Repository variables**: * `BITBUCKET_ACCESS_TOKEN` - Your Bitbucket Repository Access Token (set this as a repository variable). Note: pipeline examples reference `ACCESS_TOKEN` β€” ensure you assign `ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN` in your pipeline steps or set `ACCESS_TOKEN` directly as a repository variable. ## Basic Usage ### Example 1: Run CI Scan on Every Push ```yaml theme={null} image: atlassian/default-image:3 pipelines: default: - step: name: CodeAnt CI Scan script: - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest variables: ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN ``` ### Example 2: Run CI Scan on Pull Requests Only ```yaml theme={null} image: atlassian/default-image:3 pipelines: pull-requests: '**': - step: name: CodeAnt CI Scan script: - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest variables: ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN API_BASE: "https://api.codeant.ai" ``` ### Example 3: Branch-Specific Scanning ```yaml theme={null} image: atlassian/default-image:3 pipelines: branches: main: - step: name: CodeAnt CI Scan script: - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest variables: ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN develop: - step: name: CodeAnt CI Scan script: - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest variables: ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN EXCLUDE_PATHS: 'tests,experimental' ``` ### Example 4: Custom File Filtering with Timeout and Scanners ```yaml theme={null} - step: name: CodeAnt CI Scan script: - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest variables: ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN API_BASE: 'https://api.codeant.ai' SCANNERS: 'sast,secrets' INCLUDE_PATHS: 'src,lib' EXCLUDE_PATHS: 'tests,docs' TIMEOUT: '900' # 15 minutes POLLING_INTERVAL: '45' # Poll every 45 seconds ``` ### Example 5: Manual Trigger Pipeline ```yaml theme={null} image: atlassian/default-image:3 pipelines: custom: security-scan: - step: name: CodeAnt CI Scan script: - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest variables: ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN ``` ## Configuration Variables | Variable | Required | Default | Description | | ------------------------ | -------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------- | | `BITBUCKET_ACCESS_TOKEN` | Yes | - | Bitbucket Repository Access Token for authentication (set as repository variable and pass as `ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN` in pipeline) | | `API_BASE` | No | `https://api.codeant.ai` | Base URL for CodeAnt API | | `SCANNERS` | No | `sast,sca` | Comma-separated list of scanners to run (e.g., `all`, `sast`, `sast,sca,secrets`) | | `INCLUDE_PATHS` | No | `''` | Comma-separated paths to include in scan (e.g., `src,lib`) | | `EXCLUDE_PATHS` | No | `''` | Comma-separated paths to exclude from scan (e.g., `tests,docs`) | | `TIMEOUT` | No | `300` | Maximum time in seconds to wait for scan results | | `POLLING_INTERVAL` | No | `30` | Time in seconds between polling attempts | ## Scanner Options πŸ” **Available Scanners:** The `SCANNERS` variable allows you to customize which security scanners run during analysis: * **`sast`** - Static Application Security Testing (code vulnerabilities) * **`sca`** - Software Composition Analysis (dependency vulnerabilities) * **`secrets`** - Secret detection (API keys, passwords, tokens) * **`antipatterns`** - Code quality and duplicate code detection * **`iac`** - Infrastructure as Code security (Terraform, CloudFormation, etc.) * **`all`** - Run all available scanners **Default:** If not specified, runs `sast,sca` **Examples:** * Run all scanners: `SCANNERS: 'all'` * Only SAST: `SCANNERS: 'sast'` * SAST + Secrets: `SCANNERS: 'sast,secrets'` * Full security suite: `SCANNERS: 'sast,sca,secrets,iac'` ### Scanner Configuration Examples #### Run All Scanners ```yaml theme={null} - step: name: CodeAnt CI Scan (All Scanners) script: - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest variables: ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN SCANNERS: 'all' ``` #### Security-Focused Scan ```yaml theme={null} - step: name: CodeAnt CI Scan (Security Only) script: - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest variables: ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN SCANNERS: 'sast,secrets' ``` ## How It Works 1. **Download script** We fetch a small Bash helper (`start_scan.sh`) from the CodeAnt CI endpoint. 2. **Make it runnable** Mark the script executable so you can invoke it directly. 3. **Invoke the scan** The script POSTs your repo, commit, and file-globs to `/analysis/ci/scan`, using your token for auth. 4. **Pipeline feedback** * On success, you'll see a parsed JSON response in the job log. * On failure (non-2xx HTTP), the script exits non-zero, failing your pipeline immediately. With this in place, every push will automatically kick off a CodeAnt analysis runβ€”and your CI status will reflect whether any HIGH-severity issues were detected. ### Execution Time Considerations ⏱️ **Performance Options:** * **Default behavior (with result waiting)**: \~5-7 minutes * Triggers scan and waits for complete analysis results * Includes both security and SCA (Software Composition Analysis) results * Best for comprehensive CI/CD pipelines where you need immediate feedback * **Custom timeout settings**: Adjust based on repository size * Use `TIMEOUT: '900'` (15 minutes) for larger repositories * Use `POLLING_INTERVAL: '45'` to reduce API polling frequency * Results can also be viewed in the CodeAnt dashboard **Tip:** For larger repositories or comprehensive scans, increase the timeout to avoid premature pipeline failures while the analysis completes. You can also customize scanners using the `SCANNERS` variable for targeted or comprehensive security analysis. ## Troubleshooting ### Pipeline Fails Immediately **Issue**: Pipeline fails with "ACCESS\_TOKEN is required but not set" **Solution**: Ensure you've set `BITBUCKET_ACCESS_TOKEN` in your repository variables and it's marked as secured. ### Scan Failures **Issue**: Scan fails or returns errors **Solution**: Verify your repository is accessible, check the API base URL is correct, and review pipeline logs for specific error messages. ### Authentication Errors **Issue**: Authentication errors during scan **Solution**: Verify your `BITBUCKET_ACCESS_TOKEN` is valid, has necessary permissions, and is not expired. ### Pipe Not Found **Issue**: Cannot pull the Docker image **Solution**: Verify the pipe image path `docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest` is correct and your workspace has access to pull public Docker images. ## Support * πŸ“§ Email: [support@codeant.ai](mailto:support@codeant.ai) * πŸ“š Documentation: [https://docs.codeant.ai](https://docs.codeant.ai) * πŸ› Repository: [https://bitbucket.org/codeantworkspace/ci-scan-codeant/src/main/](https://bitbucket.org/codeantworkspace/ci-scan-codeant/src/main/) ## License MIT License - see LICENSE file for details