Bitbucket Pipelines Workflow
Add the following to yourbitbucket-pipelines.yml
. It will trigger on every push to your repository and run quality gate checks to detect secrets and other security issues:
Important:
- Define an
ACCESS_TOKEN
secured Repository variable with a personal access token or repo token (Settings -> Repository settings -> Repository variables).- Bitbucket Pipelines automatically provides
BITBUCKET_REPO_FULL_NAME
(e.g.org/repo
) andBITBUCKET_COMMIT
(current SHA).
How it works
-
Download script
We fetch the quality gates script (quality_gates.sh
) from the CodeAnt API endpoint. -
Start scan
The script initiates a quality gate scan for your commit using the-o start
operation. -
Poll for results
The script polls for scan results using the-o results
operation with:- Timeout: 300 seconds (5 minutes)
- Poll interval: 15 seconds
-
Pipeline feedback
- Success: Quality gate passes if no secrets are detected
- Failure: Quality gate fails if secrets are found, blocking the build
Script Parameters
Thequality_gates.sh
script accepts the following parameters:
Parameter | Description | Required | Example |
---|---|---|---|
-a, --access-token | Bitbucket Personal Access Token or repo token | Yes | ${ACCESS_TOKEN} |
-r, --repo | Repository in format workspace/repository | Yes | ${BITBUCKET_REPO_FULL_NAME} |
-c, --commit-id | Commit SHA to scan | Yes | ${BITBUCKET_COMMIT} |
-s, --service | VCS provider | Yes | bitbucket |
-o, --operation | Operation to perform (start or results ) | Yes | start or results |
-t, --timeout | Timeout in seconds for polling (default: 300) | No | 300 |
-p, --poll-interval | Poll interval in seconds (default: 15) | No | 15 |
-u, --base-url | Base URL for VCS service (optional) | No | https://bitbucket.org |
Quality Gate Checks
Currently, the quality gate performs the following checks:Secret Detection
- Scans for hardcoded secrets, API keys, passwords, and tokens
- Analyzes only the changed lines since your merge base commit
- Uses high-confidence detection to minimize false positives
- Blocks the build if any secrets are found
Best Practices
- Run on all branches: Quality gates should run on every push to catch issues early
- Block merges: Configure merge checks to require quality gate pipeline success before merging
- Review failures: When quality gates fail, review the detected issues immediately
- Keep tokens secure: Never commit access tokens directly - always use Repository Variables
- Use secured variables: Mark your
ACCESS_TOKEN
as secured in Repository Variables
Troubleshooting
Quality gate times out
If the scan takes longer than expected:- Increase the timeout using
-t 600
(10 minutes) - Check if the CodeAnt service is operational
- Consider optimizing your repository size
Authentication failures
If you see “Access token invalid”:- Verify your
ACCESS_TOKEN
variable is correctly configured in Repository settings - Ensure the token has appropriate repository permissions
- Check that the variable is marked as secured
No results returned
If the scan completes but returns no results:- Check that quality gates are enabled for your repository in CodeAnt
- Verify the commit SHA is correct
- Ensure your Bitbucket workspace has proper integration with CodeAnt
Pipeline fails silently
If the pipeline exits without clear error:- Add
set -e
at the beginning of your script to fail on any error - Add error handling:
Bitbucket Environment Variables
The following Bitbucket environment variables are automatically available and used:Variable | Description | Example |
---|---|---|
BITBUCKET_REPO_FULL_NAME | Full repository name | workspace/repository |
BITBUCKET_COMMIT | Current commit SHA | abc123def456 |
BITBUCKET_BRANCH | Current branch name | main |
BITBUCKET_PR_ID | Pull request ID (if applicable) | 123 |