> ## Documentation Index
> Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Bitbucket Pipelines

> Set up CodeAnt CI security and code quality analysis in your Bitbucket pipeline.

## Overview

Run automated security and code quality scanning on your repository with comprehensive analysis, vulnerability detection, and detailed insights.

**Reference Repository**: [ci-scan-codeant](https://bitbucket.org/codeantworkspace/ci-scan-codeant/src/main/)

## Features

* 🛡️ Automated security and code quality scanning
* 🔍 Deep code analysis and vulnerability detection
* 📊 Detailed reports and insights
* ⚡ Fast and easy integration

## Setup

### 1. Create a CodeAnt Token

In CodeAnt AI, open the user menu (click your email at the bottom-left) and select **API Tokens**, click **Create token**, and copy the generated token (it starts with `cdt_` and is shown only once). See [API Tokens](/settings/api-tokens) for the full walkthrough. This single token authenticates the scan - you don't need a Bitbucket access token or app password.

### 2. Configure Repository Variables

Before using the pipe, configure this repository variable in **Repository Settings → Pipelines → Repository variables**:

* `CODEANT_TOKEN` - Your CodeAnt token (`cdt_…`). Note: pipeline examples reference `ACCESS_TOKEN` - ensure you assign `ACCESS_TOKEN: $CODEANT_TOKEN` in your pipeline steps or set `ACCESS_TOKEN` directly as a repository variable.

## Basic Usage

### Example 1: Run CI Scan on Every Push

```yaml theme={null}
image: atlassian/default-image:3

pipelines:
  default:
    - step:
        name: CodeAnt CI Scan
        script:
          - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
            variables:
              ACCESS_TOKEN: $CODEANT_TOKEN
```

### Example 2: Run CI Scan on Pull Requests Only

```yaml theme={null}
image: atlassian/default-image:3

pipelines:
  pull-requests:
    '**':
      - step:
          name: CodeAnt CI Scan
          script:
            - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
              variables:
                ACCESS_TOKEN: $CODEANT_TOKEN
                API_BASE: "https://api.codeant.ai"
```

### Example 3: Branch-Specific Scanning

```yaml theme={null}
image: atlassian/default-image:3

pipelines:
  branches:
    main:
      - step:
          name: CodeAnt CI Scan
          script:
            - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
              variables:
                ACCESS_TOKEN: $CODEANT_TOKEN

    develop:
      - step:
          name: CodeAnt CI Scan
          script:
            - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
              variables:
                ACCESS_TOKEN: $CODEANT_TOKEN
                EXCLUDE_PATHS: 'tests,experimental'
```

### Example 4: Custom File Filtering with Timeout and Scanners

```yaml theme={null}
- step:
    name: CodeAnt CI Scan
    script:
      - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
        variables:
          ACCESS_TOKEN: $CODEANT_TOKEN
          API_BASE: 'https://api.codeant.ai'
          SCANNERS: 'sast,secrets'
          INCLUDE_PATHS: 'src,lib'
          EXCLUDE_PATHS: 'tests,docs'
          TIMEOUT: '900'              # 15 minutes
          POLLING_INTERVAL: '45'      # Poll every 45 seconds
```

### Example 5: Manual Trigger Pipeline

```yaml theme={null}
image: atlassian/default-image:3

pipelines:
  custom:
    security-scan:
      - step:
          name: CodeAnt CI Scan
          script:
            - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
              variables:
                ACCESS_TOKEN: $CODEANT_TOKEN
```

## Configuration Variables

| Variable           | Required | Default                  | Description                                                                                                                                                                 |
| ------------------ | -------- | ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `CODEANT_TOKEN`    | Yes      | -                        | CodeAnt API token (`cdt_…`) for authentication - see [API Tokens](/settings/api-tokens) (set as repository variable and pass as `ACCESS_TOKEN: $CODEANT_TOKEN` in pipeline) |
| `API_BASE`         | No       | `https://api.codeant.ai` | Base URL for CodeAnt API                                                                                                                                                    |
| `SCANNERS`         | No       | `sast,sca`               | Comma-separated list of scanners to run (e.g., `all`, `sast`, `sast,sca,secrets`)                                                                                           |
| `INCLUDE_PATHS`    | No       | `''`                     | Comma-separated paths to include in scan (e.g., `src,lib`)                                                                                                                  |
| `EXCLUDE_PATHS`    | No       | `''`                     | Comma-separated paths to exclude from scan (e.g., `tests,docs`)                                                                                                             |
| `TIMEOUT`          | No       | `300`                    | Maximum time in seconds to wait for scan results                                                                                                                            |
| `POLLING_INTERVAL` | No       | `30`                     | Time in seconds between polling attempts                                                                                                                                    |
| `QUALITY_GATE`     | No       | `false`                  | Fail the pipeline if the whole-repo quality gate does not pass. Writes `results.json`, `codeant.sarif`, `codeant-qg.xml`                                                    |

## Quality Gate Enforcement

🚦 **Block the pipeline on the whole-repository posture:**

Set `QUALITY_GATE: 'true'` to turn the scan into an enforced gate. After the scan completes, CodeAnt evaluates the **entire repository** against your thresholds and the pipeline **fails** if the gate does not pass. This is the Checkmarx / SonarQube-style whole-repo gate, independent of the new-code/PR quality gate.

**Configure thresholds** in **Settings → Code Analysis → Quality Gates** using the **"(Full Code / CI Pipeline)"** metrics (these run only in the pipeline, never on pull requests):

* `(Full Code / CI Pipeline) SAST Security Rating` `≤` `C`
* `(Full Code / CI Pipeline) SCA Security Rating` `≤` `C`
* `(Full Code / CI Pipeline) IaC Security Rating` `≤` `C`
* `(Full Code / CI Pipeline) Duplicate Code Percentage` `>` `30`

Results group into three status checks: **SAST** (app security + IaC), **SCA** (dependencies), and **SCR** (duplicate code). The gate writes `codeant.sarif` (SARIF 2.1.0), `codeant-qg.xml` (JUnit), and `results.json` (full verdict + findings).

```yaml theme={null}
- step:
    name: CodeAnt Quality Gate
    script:
      - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
        variables:
          ACCESS_TOKEN: $CODEANT_TOKEN
          SCANNERS: 'all'
          QUALITY_GATE: 'true'
    artifacts:
      - results.json
      - codeant.sarif
      - codeant-qg.xml
```

## Scanner Options

🔍 **Available Scanners:**

The `SCANNERS` variable allows you to customize which security scanners run during analysis:

* **`sast`** - Static Application Security Testing (code vulnerabilities)
* **`sca`** - Software Composition Analysis (dependency vulnerabilities)
* **`secrets`** - Secret detection (API keys, passwords, tokens)
* **`antipatterns`** - Code quality and duplicate code detection
* **`iac`** - Infrastructure as Code security (Terraform, CloudFormation, etc.)
* **`all`** - Run all available scanners

**Default:** If not specified, runs `sast,sca`

**Examples:**

* Run all scanners: `SCANNERS: 'all'`
* Only SAST: `SCANNERS: 'sast'`
* SAST + Secrets: `SCANNERS: 'sast,secrets'`
* Full security suite: `SCANNERS: 'sast,sca,secrets,iac'`

### Scanner Configuration Examples

#### Run All Scanners

```yaml theme={null}
- step:
    name: CodeAnt CI Scan (All Scanners)
    script:
      - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
        variables:
          ACCESS_TOKEN: $CODEANT_TOKEN
          SCANNERS: 'all'
```

#### Security-Focused Scan

```yaml theme={null}
- step:
    name: CodeAnt CI Scan (Security Only)
    script:
      - pipe: docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest
        variables:
          ACCESS_TOKEN: $CODEANT_TOKEN
          SCANNERS: 'sast,secrets'
```

## How It Works

1. **Download script**
   We fetch a small Bash helper (`start_scan.sh`) from the CodeAnt CI endpoint.

2. **Make it runnable**
   Mark the script executable so you can invoke it directly.

3. **Invoke the scan**
   The script POSTs your repo, commit, and file-globs to `/analysis/ci/scan`, using your token for auth.

4. **Pipeline feedback**
   * On success, you'll see a parsed JSON response in the job log.
   * On failure (non-2xx HTTP), the script exits non-zero, failing your pipeline immediately.

With this in place, every push will automatically kick off a CodeAnt analysis run - and your CI status will reflect whether any HIGH-severity issues were detected.

### Execution Time Considerations

⏱️ **Performance Options:**

* **Default behavior (with result waiting)**: \~5-7 minutes
  * Triggers scan and waits for complete analysis results
  * Includes both security and SCA (Software Composition Analysis) results
  * Best for comprehensive CI/CD pipelines where you need immediate feedback

* **Custom timeout settings**: Adjust based on repository size
  * Use `TIMEOUT: '900'` (15 minutes) for larger repositories
  * Use `POLLING_INTERVAL: '45'` to reduce API polling frequency
  * Results can also be viewed in the CodeAnt dashboard

**Tip:** For larger repositories or comprehensive scans, increase the timeout to avoid premature pipeline failures while the analysis completes. You can also customize scanners using the `SCANNERS` variable for targeted or comprehensive security analysis.

## Troubleshooting

### Pipeline Fails Immediately

**Issue**: Pipeline fails with "ACCESS\_TOKEN is required but not set"

**Solution**: Ensure you've set `CODEANT_TOKEN` in your repository variables and it's marked as secured.

### Scan Failures

**Issue**: Scan fails or returns errors

**Solution**: Verify your repository is accessible, check the API base URL is correct, and review pipeline logs for specific error messages.

### Authentication Errors

**Issue**: Authentication errors during scan

**Solution**: Verify your `CODEANT_TOKEN` holds a valid CodeAnt token (`cdt_…`) that hasn't been revoked and belongs to the same organization as the repository. You can re-issue tokens under **API Tokens** (in the user menu - your email at the bottom-left) in CodeAnt AI - see [API Tokens](/settings/api-tokens).

### Pipe Not Found

**Issue**: Cannot pull the Docker image

**Solution**: Verify the pipe image path `docker://public.ecr.aws/d2p9q4a9/ci-scan-codeant:latest` is correct and your workspace has access to pull public Docker images.

## Support

* 📧 Email: [support@codeant.ai](mailto:support@codeant.ai)
* 📚 Documentation: [https://docs.codeant.ai](https://docs.codeant.ai)
* 🐛 Repository: [https://bitbucket.org/codeantworkspace/ci-scan-codeant/src/main/](https://bitbucket.org/codeantworkspace/ci-scan-codeant/src/main/)

## License

MIT License - see LICENSE file for details## Token permission

This pipeline authenticates with a CodeAnt API token (`cdt_…`). If the token is **scoped**, give it the **Codeant CI/CD** role - it covers scans, quality gates, and test-coverage upload - scoped to the repositories this pipeline runs on (or **All repositories**). A token missing the required permission is rejected with an HTTP `403` `token_scope_forbidden` error that names the permission it needs. See [API token permissions](/settings/api-tokens#permissions-and-scopes).
