Bitbucket Pipelines Workflow

Add the following to your bitbucket-pipelines.yml. It will trigger on every push to your repository and run quality gate checks to detect secrets and other security issues: 
image: python:3.11

pipelines:
  default:
    - step:
        name: Quality Gate Scan
        script:
          # Set up environment
          - export API_BASE="https://api.codeant.ai"
          
          # Fetch quality gates script
          - echo "Fetching quality gates script..."
          - curl -sS -X GET "${API_BASE}/analysis/ci/quality-gates/script/get" \
              --output quality_gates.sh.b64
          
          # Make script executable
          - base64 -d quality_gates.sh.b64 > quality_gates.sh
          - chmod +x quality_gates.sh
          
          # Start Quality Gate Scan
          - echo "Starting quality gate scan..."
          - ./quality_gates.sh \
              -a "${ACCESS_TOKEN}" \
              -r "${BITBUCKET_REPO_FULL_NAME}" \
              -c "${BITBUCKET_COMMIT}" \
              -s bitbucket \
              -o start
          - echo "Quality gate scan initiated successfully"
          
          # Poll for Quality Gate Results
          - echo "Polling for quality gate results..."
          - ./quality_gates.sh \
              -a "${ACCESS_TOKEN}" \
              -r "${BITBUCKET_REPO_FULL_NAME}" \
              -c "${BITBUCKET_COMMIT}" \
              -s bitbucket \
              -o results \
              -t 300 \
              -p 15
          
          # Display status
          - echo " Quality Gate PASSED - No secrets detected"
Important:
  • Define an ACCESS_TOKEN secured Repository variable with a personal access token or repo token (Settings -> Repository settings -> Repository variables).
  • Bitbucket Pipelines automatically provides BITBUCKET_REPO_FULL_NAME (e.g. org/repo) and BITBUCKET_COMMIT (current SHA).

How it works

  1. Download script
    We fetch the quality gates script (quality_gates.sh) from the CodeAnt API endpoint.
  2. Start scan
    The script initiates a quality gate scan for your commit using the -o start operation.
  3. Poll for results
    The script polls for scan results using the -o results operation with:
    • Timeout: 300 seconds (5 minutes)
    • Poll interval: 15 seconds
  4. Pipeline feedback
    • Success: Quality gate passes if no secrets are detected
    • Failure: Quality gate fails if secrets are found, blocking the build

Script Parameters

The quality_gates.sh script accepts the following parameters:
ParameterDescriptionRequiredExample
-a, --access-tokenBitbucket Personal Access Token or repo tokenYes${ACCESS_TOKEN}
-r, --repoRepository in format workspace/repositoryYes${BITBUCKET_REPO_FULL_NAME}
-c, --commit-idCommit SHA to scanYes${BITBUCKET_COMMIT}
-s, --serviceVCS providerYesbitbucket
-o, --operationOperation to perform (start or results)Yesstart or results
-t, --timeoutTimeout in seconds for polling (default: 300)No300
-p, --poll-intervalPoll interval in seconds (default: 15)No15
-u, --base-urlBase URL for VCS service (optional)Nohttps://bitbucket.org

Quality Gate Checks

Currently, the quality gate performs the following checks:

Secret Detection

  • Scans for hardcoded secrets, API keys, passwords, and tokens
  • Analyzes only the changed lines since your merge base commit
  • Uses high-confidence detection to minimize false positives
  • Blocks the build if any secrets are found

Best Practices

  1. Run on all branches: Quality gates should run on every push to catch issues early
  2. Block merges: Configure merge checks to require quality gate pipeline success before merging
  3. Review failures: When quality gates fail, review the detected issues immediately
  4. Keep tokens secure: Never commit access tokens directly - always use Repository Variables
  5. Use secured variables: Mark your ACCESS_TOKEN as secured in Repository Variables

Troubleshooting

Quality gate times out

If the scan takes longer than expected:
  • Increase the timeout using -t 600 (10 minutes)
  • Check if the CodeAnt service is operational
  • Consider optimizing your repository size

Authentication failures

If you see “Access token invalid”:
  • Verify your ACCESS_TOKEN variable is correctly configured in Repository settings
  • Ensure the token has appropriate repository permissions
  • Check that the variable is marked as secured

No results returned

If the scan completes but returns no results:
  • Check that quality gates are enabled for your repository in CodeAnt
  • Verify the commit SHA is correct
  • Ensure your Bitbucket workspace has proper integration with CodeAnt

Pipeline fails silently

If the pipeline exits without clear error:
  • Add set -e at the beginning of your script to fail on any error
  • Add error handling: 
    - ./quality_gates.sh ... || { echo "Quality gate failed!"; exit 1; }

Bitbucket Environment Variables

The following Bitbucket environment variables are automatically available and used:
VariableDescriptionExample
BITBUCKET_REPO_FULL_NAMEFull repository nameworkspace/repository
BITBUCKET_COMMITCurrent commit SHAabc123def456
BITBUCKET_BRANCHCurrent branch namemain
BITBUCKET_PR_IDPull request ID (if applicable)123
With quality gates in place, every push will automatically be scanned for security issues, helping you maintain code security and compliance standards in your Bitbucket repositories.