Bitbucket Self-Hosted
Notice
It is possible to add the Checkmarx One external IP addresses to the customer Firewall allowlist - For more information see Checkmarx One External IPs
Additionally, if the code repository is not internet accessible, it is possible to configure the code repository IP address instead of its hostname during the initial integration with the code repository - as it is not resolved via DNS.
Overview
Checkmarx One supports Bitbucket integration, enabling automated scanning of your Bitbucket projects whenever the code is updated. Checkmarx One’s Bitbucket integration listens for Bitbucket commit events and uses a webhook to trigger Checkmarx scans when a push, or a pull request occurs. Once a scan is completed, the results can be viewed in Checkmarx One.
Additionally, for pull requests, a comment is created in Bitbucket, which includes a scan summary, list of vulnerabilities and a link to view the scan results in Checkmarx One.
The integration is performed on a per-project basis, where a dedicated Checkmarx One Project corresponds to a specific Bitbucket repository. You can select several repositories to create multiple integrations in a bulk action.
Checkmarx One supports integration with only one Bitbucket self-hosted instance. Following a successful integration, the instance cannot be removed but can be updated, provided there are sufficient Checkmarx One permissions. To remove an existing instance please contact the Checkmarx One support team.
Notice
This integration supports both public and private git based repos.
Prerequisites
The source code for your project is hosted on a Bitbucket repo.
You have a Checkmarx One account and have credentials to log in to your account.
The Bitbucket user has Admin privileges for this repository, see Code Repository Integrations.
To integrate Bitbucket self-hosted with Checkmarx One, a Bitbucket authentication token is required.
For Bitbucket versions earlier than 7.1, the integration supports Personal Access Tokens.
For Bitbucket version 7.1 and above, the integration supports only HTTP Access Tokens and only for the Organization associated with the current User. For any other Organization or Group HTTP Access Tokens are not supported. The integration scope is defined in step 4 of the Setting up the Integration and Initiating a Scan.
For additional information on how to create HTTP access tokens see Bitbucket HTTP access tokens.
Note
The example below relates to Bitbucket self-hosted versions earlier than 7.1.
To retrieve your Bitbucket Username & Token, perform the following steps:
In your Bitbucket account, click on your user > View Profile.
Retrieve your Username.
To create a Token, click on your user > Manage account.
Click on Personal access tokens.
Click on Create a token.
Give the token at least Read permissions for Projects and Repositories.
Click Create.
Setting up the Integration and Initiating a Scan
To integrate your self hosted (on-prem) Bitbucket organization with Checkmarx One, perform the following:
Click on Workspace > Projects
Click on New > New Project - Code Repository Integration
The Import From window opens.
Select Self-hosted → Bitbucket.
Configure the following fields and click Test Connection.
Instance Name - Free text field.
Domain Name or IP Address - Your Bitbucket Self-Managed domain.
For example: http://<domain name.com>/ or http://<IP address.com>/
Username - for more information see Retrieving Bitbucket Username & Token.
Token - for more information see Retrieving Bitbucket Username & Token.
Select the Bitbucket Organization or Group (for the requested repository) and click Select Organization.
The screen contains the following functionalities:
Search bar - Auto-complete is implemented. The search is not case sensitive.
Infinite scroll - For enterprises with a large amount of organizations.
Select the Repository inside the Bitbucket organization and click Next.
Note
A separate Checkmarx One Project will be created for each repo that you import.
There can’t be more than one Checkmarx One Project per repo. Therefore, once a Project has been created for a repo, that repo is greyed out in the Import dialog.
In the Repositories Settings screen, perform the following and click Next.
Permissions:
Scan Trigger: Push, Pull request - Enable/disable automatic scans for every push event or pull request.
Scanners: Select the scanners for All/Specific repositories. At lease 1 scanner must be selected for each repository.
Protected Branches: Select which Protected Branches to scan for each repository.
Note
For additional information about Protected Branches see About Protected Branches
Add SSH key.
Assign Groups: Specify the Groups to which you would like to assign the project.
Assign Tags: Add Tags to the Project. Tags can be added as a simple strings or as key:value pairs.
Set Criticality Level: Manually set the project criticality level.
Note
If multiple repositories are selected, an additional configuration option will appear at the top of the wizard for applying settings to all selected repositories. Configure the necessary parameters, then scroll down on the right-side panel and click Apply to all.
For example:
Select which Protected Branches to scan for each Repository and click Next.
Note
For additional information about Protected Branches see About Protected Branches
In the Advanced Options screen it is possible to select Scanning the default branch upon the creation of the Project.
You also must select the default branch for the automatic scan, as Bitbucket doesn't have a default one.
Click Create Project.
The Project is successfully added to the Applications and Projects home page.
Note
In order to update the scanners see Imported Project Settings
Updating an Existing Instance
Important
Only users with ast-admin
or update-tenant-params
permission can update an existing instance.
Users with the view-tenant-params
permission can only view an existing instance but do not have the ability to update it.
Bitbucket self-hosted instance can be updated from Global Settings.
Global Settings can be opened by one of the options below:
Click on Edit an existing instance in the Import wizard.
Click on Settings > Code Repository.
Click on Settings > Global Settings, and then select the Code Repository option.