Skip to main content

Checkmarx One Bitbucket Pipelines Integration

You can integrate Checkmarx One into your Bitbucket pipelines using our CLI Tool. You can run Checkmarx One scans as well as perform other Checkmarx One commands using the CLI Tool.

Prerequisites

Initial Setup

Before running Checkmarx One CLI commands in your Bitbucket pipelines, you need to configure access to Checkmarx One. This is done by specifying the server URLs, tenant account, and authentication credentials for accessing your Checkmarx One environment.

  1. In your Bitbucket console, in the main navigation click on Repository settings > Repository variables.

  2. Create variables for each of the items shown in the table below by entering a Name for the variable and its Value and then clicking Add.

Warning

Make sure you keep the authentication variables are marked as Secured.

6171099157.bmp

Repository Variables

Key

Value

BASE_URI

BASE_AUTH_URI

TENANT

The name of your tenant account.

Use one of the following authentication methods.

CLIENT_ID and SECRET

(for OAuth2, recommended)

These values are obtained from the Checkmarx One web application, see Creating an OAuth2 Client for Checkmarx One Integrations. (recommended method)

API_KEY

This is obtained from the Checkmarx One web application, see Generating an API Key.

Running CLI Commands in Bitbucket

You can use CLI commands to run scans, retrieve scan results and perform CRUD actions on your Checkmarx One Projects and Applications. For an explanation of the CLI commands, see Checkmarx One CLI Commands.

You can run our CLI Tool either using our image checkmarx/ast-cli (recommended) or you can use the Bitbucket base image and brew. See examples below.

Usage Example - Running a Checkmarx One Scan in Bitbucket

The following snippet shows how you can run a Checkmarx One scan in Bitbucket using our CLI Tool.

The snippet uses the scan create command with the minimum required parameters -s (location of the source code), --project-name (name of the Checkmarx One Project), and --branch (name of the branch of the Checkmarx One Project) as well as the repository variables that you configured for connecting to Checkmarx One. We also recommend using the --agent flag with the value Bitbucket.

Option 1 (recommended): Use the Checkmarx One CLI docker image to trigger the scan:

image: checkmarx/ast-cli
 
pipelines:
  default:
    - step:
        script:
          - >-
            /app/bin/cx
            scan create
            -s .
            --agent Bitbucket
            --project-name $BITBUCKET_REPO_SLUG
            --branch $BITBUCKET_BRANCH
            --base-uri $BASE_URI
            --base-auth-uri $BASE_AUTH_URI
            --tenant $TENANT
            --client-id $CLIENT_ID
            --client-secret $CLIENT_SECRET

Option 2: Use the Bitbucket base image and brew to install the Checkmarx One CLI and trigger the scan:

image: atlassian/default-image:2

pipelines:
  default:
    - step:
        script:
          - /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
          - /home/linuxbrew/.linuxbrew/bin/brew install checkmarx/ast-cli/ast-cli
          - >-
            /home/linuxbrew/.linuxbrew/Cellar/ast-cli/*/bin/cx
            scan create
            -s .
            --agent Bitbucket
            --project-name $BITBUCKET_REPO_SLUG
            --branch $BITBUCKET_BRANCH
            --base-uri $BASE_URI
            --base-auth-uri $BASE_AUTH_URI
            --tenant $TENANT
            --client-id $CLIENT_ID
            --client-secret $CLIENT_SECRET

Notice

Check for updates to the code samples in GitHub.