Skip to main content

Checkmarx One Bitbucket Pipelines Integration

You can integrate Checkmarx One into your Bitbucket pipelines using our CLI Tool. You can run Checkmarx One scans as well as perform other Checkmarx One commands using the CLI Tool.

Prerequisites

  • You have a Checkmarx One account and you have an OAuth Client or API Key for Checkmarx One authentication. To generate the required authentication, see Authentication for Checkmarx One CLI and Plugins.

    Notice

    The OAuth method has an advantage in the fact that you can specify the precise permissions needed for the integration. As opposed to an API Key, which automatically inherits all permissions of the user who generates the key.

Initial Setup

Before running Checkmarx One CLI commands in your Bitbucket pipelines, you need to configure access to Checkmarx One. This is done by specifying the server URLs, tenant account, and authentication credentials for accessing your Checkmarx One environment.

  1. In your Bitbucket console, in the main navigation click on Repository settings > Repository variables.

  2. Create variables for each of the items shown in the table below by entering a Name for the variable and its Value and then clicking Add.

Warning

Make sure you keep the authentication variables are marked as Secured.

6171099157.bmp

Repository Variables

Key

Value

BASE_URI

BASE_AUTH_URI

TENANT

The name of your tenant account.

Use one of the following authentication methods.

OAuth CLIENT_ID and SECRET

(Recommended method)

These values are obtained from the Checkmarx One web application, see Creating an OAuth Client for Checkmarx One Integrations.

API_KEY

This is obtained from the Checkmarx One web application, see Generating an API Key.

Running CLI Commands in Bitbucket

You can use CLI commands to run scans, retrieve scan results and perform CRUD actions on your Checkmarx One Projects and Applications. For an explanation of the CLI commands, see Checkmarx One CLI Commands.

You can run our CLI Tool either using our image checkmarx/ast-cli (recommended) or you can use the Bitbucket base image and brew. See examples below.

Usage Example - Running a Checkmarx One Scan in Bitbucket

The following snippet shows how you can run a Checkmarx One scan in Bitbucket using our CLI Tool.

The snippet uses the scan create command with the minimum required parameters -s (location of the source code), --project-name (name of the Checkmarx One Project), and --branch (name of the branch of the Checkmarx One Project) as well as the repository variables that you configured for connecting to Checkmarx One. We also recommend using the --agent flag with the value Bitbucket.

Warning

When running SCA Resolver as part of the scan, we recommend using the 2nd option shown below with some modifications related to SCA Resolver. An example of the script is available here.

Option 1 (recommended): Use the Checkmarx One CLI docker image to trigger the scan:

image: checkmarx/ast-cli
 
pipelines:
  default:
    - step:
        script:
          - >-
            /app/bin/cx
            scan create
            -s .
            --agent Bitbucket
            --project-name $BITBUCKET_REPO_SLUG
            --branch $BITBUCKET_BRANCH
            --base-uri $BASE_URI
            --base-auth-uri $BASE_AUTH_URI
            --tenant $TENANT
            --client-id $CLIENT_ID
            --client-secret $CLIENT_SECRET

Option 2: Use the Bitbucket base image and brew to install the Checkmarx One CLI and trigger the scan:

image: atlassian/default-image:2

pipelines:
  default:
    - step:
        script:
          - /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
          - /home/linuxbrew/.linuxbrew/bin/brew install checkmarx/ast-cli/ast-cli
          - >-
            /home/linuxbrew/.linuxbrew/Cellar/ast-cli/*/bin/cx
            scan create
            -s .
            --agent Bitbucket
            --project-name $BITBUCKET_REPO_SLUG
            --branch $BITBUCKET_BRANCH
            --base-uri $BASE_URI
            --base-auth-uri $BASE_AUTH_URI
            --tenant $TENANT
            --client-id $CLIENT_ID
            --client-secret $CLIENT_SECRET

Notice

Check for updates to the code samples in GitHub.