Close

How Snyk and Bitbucket Cloud enable DevSecOps

Simon Maple Headshot
Simon Maple

Field CTO at Snyk

Achieve DevSecOps by integrating Snyk with Bitbucket Cloud and Jira.

Snyk integrates with multiple Atlassian products so that development teams can achieve DevSecOps within their existing workflows. This tutorial details patterns for shift-left security leveraging Atlassian Bitbucket and Snyk. These techniques allow you to scan your application and container-based workloads. You’ll also learn how to use these patterns to release features and functionality at a faster pace that includes security at each step.

Time

10-minute read.

Audience

Developers, security/application teams, and DevOps/DevSecOps engineers

Prerequisites

You have a Snyk account. Get started here.

You have an Atlassian Bitbucket account. Log in here, or get started here.

Step 1. Configure your environment

1. Install the Snyk CLI

The Snyk CLI authenticates your machine with your Snyk account. This tool helps you find and fix known vulnerabilities in your dependencies, both manually and also as part of your continuous integration build server.

brew tap snyk/tap && \

brew update && \

brew install snyk

To associate your Snyk account with the CLI, you must first authenticate your machine. No repository permissions are needed at this stage. Simply run the following command:

brew install snyk

A web browser tab will open, redirecting you to authenticate the CLI for use with your account. Click Authenticate. When the authentication is complete, you may return to your terminal and continue working.

Additional lab resources

The exercises contained in this tutorial include a combination of commands or code snippets that will be shared within the specified module pages, as well as templates and source code available in a public Bitbucket repository. Once your Bitbucket Cloud account is set up, you will need to copy these resources into your account. To do so, please follow these steps:

2. Fork the repository

Click here to fork the upstream repository into your Bitbucket account. Atlassian’s documentation offers detailed instructions on how to fork a repository.

3. Clone your fork locally

Once Step 1 is complete, you need to clone your forked repository. Please review Atlassian's documentation on how to clone a repository for detailed instructions.

Step 2. Connect Snyk to Bitbucket

Connecting Snyk to Bitbucket allows you to scan your Bitbucket application for open source vulnerabilities.

Diagram of bitbucket process

What is software composition analysis (SCA)?

Software composition analysis (SCA) is an open-source component management tool. It generates a report listing all open-source components in an application, including direct and indirect dependencies. Using an SCA tool, development teams can quickly track and analyze open-source components introduced into a project.

Why use an SCA tool?

Open-source components are major building blocks in software development across virtually every vertical. Regardless of the size of your organization, SCA helps identify open-source components in the applications that are critical to your business. SCA tools enable developers to:

1. Understand dependencies used in applications.

2. Enforce security and compliance policies throughout the software development lifecycle.

3. Proactively fix potential vulnerabilities at the source.

4. Improve team efficiency and the company security posture.

1. Create an app password

You will need to create an app password in order to authorize Snyk to access your repository and enable Snyk's Bitbucket Cloud integration.

To create an app password:

1. From your avatar at the bottom left of your screen, click Personal settings.

2. Under Access management, click App passwords.

3. Click Create app password.

4. Give the app password a name related to the application.

5. Select the specific access and permissions you want this application password to have.

6. Copy the generated password and either record or paste it into the application. The password is only displayed this one time.

You will need the following permissions:

Personal settings window
  • Account: read
  • Team membership: read
  • Projects: read
  • Repositories: read and write
  • Pull requests: read and write
  • Webhooks: read and write

2. Add repository variables

You will need to define repository variables at the repository level, which will later be referenced in your pipeline.

These will consist of the following:

Repository settings window

1. Snyk API token for authenticating your Snyk account: SNYK_TOKEN

2. Container image name: IMAGE

Step 3. Configure Snyk

1. Obtain your Snyk API token

From the Snyk console, navigate to Settings, and under the General menu, Copy your Organization ID.

Snyk general settings

Once you have copied your token, go back to the Bitbucket Cloud UI and define the SNYK_TOKEN repository variable.

2. Enable Bitbucket integration

From the Snyk console, navigate to Integrations and select Bitbucket Cloud.

Snyk integrations window

From the Bitbucket Cloud integration page, enter your Bitbucket username in the Username field and the Bitbucket app password from the previous step in the App password field. Then, click Save.

Settings: integrations window

Once you have successfully connected your Snyk and Bitbucket accounts you will see a confirmation message and the ability to Add your Bitbucket Cloud repository to Snyk

Stay on this page and in the next section, you will learn how to import a Bitbucket Cloud repository and scan it with Snyk.

Step 4. Scan and monitor your Bitbucket application

Scanning your application for vulnerabilities in your open source dependencies begins at the source. In the previous section, we enabled the Snyk integration to Bitbucket and are in a position to import our first project.

1. Add Bitbucket Cloud repositories to Snyk

From the last screen in the previous section, click Add your Bitbucket Cloud repository to Snyk.

Add Bitbucket Cloud repositories to Snyk

Find the repository you forked in the Configure Environment module. Click the checkbox to select it, then click the Add selected repository button to import your project.

Add selected repositories button in top right corner

2. Review the vulnerability report

You should see vulnerability counts based on packages.json, as well as detailed information for each. Click into the project that was just scanned and review the results in Snyk. You will not only receive context such as severity and exploit maturity for vulnerabilities, but also the following powerful features:

Vulnerability report
  • Fix pull request helps you fix vulnerabilities by either upgrading the direct dependencies or patching vulnerabilities. 
  • Priority Score helps you effectively prioritize fixes. The score, ranging from 1-1000, is powered by a proprietary algorithm that processes a wide array of factors, such as CVSS score, the availability of fixed known exploits, how new the vulnerability is, and whether it is reachable.
  • Jira integration enables you to create issues in Jira.
Simon Maple
Simon Maple

Simon Maple is the Field CTO at Snyk, a Java Champion since 2014, Virtual JUG founder, and London Java Community co-leader. He is an experienced speaker, with a passion for community. When not traveling, Simon enjoys spending quality time with his family, cooking and eating great food.


Share this article

Recommended reading

Bookmark these resources to learn about types of DevOps teams, or for ongoing updates about DevOps at Atlassian.

Devops illustration

DevOps community

Devops illustration

Simulation workshop

Map illustration

Get started for free

Sign up for our DevOps newsletter

Thank you for signing up