Skip to content

Bitbucket

Ostorlab Integration with Bitbucket CI/CD Pipeline

To integrate Ostorlab with your Bitbucket CI/CD pipeline, follow these steps:

1. Generate an API Key

The first step is to generate an API key from your Ostorlab account. Follow these steps to create an API key:

  1. Go to the API keys menu.

  2. Click the "New" button to generate a new key.

  3. Copy the API key. You can add a name and an expiry date to your key.

  4. Click the "Save" button to save your key.

API Key

2. Add the API Key to Bitbucket Variables

Once you have generated your API key, add it to your Bitbucket variables. Make sure the name of the variable matches the secrets in your YAML file (e.g. $SECRET_OSTORLAB_API_KEY). For more detailed instructions, you can refer to the Bitbucket documentation on Variables and secrets.

3. Update Your Pipeline.

Now, you need to update your Bitbucket pipeline to include an Ostorlab step to trigger the security scan. Below is a sample YAML configuration that performs a rapid scan on an Android APK and fails the pipeline on vulnerabilities with a "HIGH" severity rating:

image: python:3.10

pipelines:
  default:
    - step:           # step to build Android debug application
        name: Android Debug Application
        caches:
          - gradle
        script:
          - ./gradlew assembleDebug
    - step:
        name: Ostorlab Security Scan
        caches:
          - pip
        script:
          - pip install ostorlab[cli]
          - export OSTORLAB_API_KEY=$SECRET_OSTORLAB_API_KEY
          - export SCAN_TITLE=SCAN_TITLE
          - export SCAN_PROFILE='fast_scan'
          - export BREAK_ON_RISK_RATING="HIGH"
          - export MAX_WAIT_MINUTES=15
          - export TARGET="app/build/outputs/apk/debug/app-debug.apk" # replace with your target application path
          - export ASSET_TYPE="android-apk"
          - ostorlab --api-key="$OSTORLAB_API_KEY" ci-scan run  --title="$SCAN_TITLE" --scan-profile="$SCAN_PROFILE"  --break-on-risk-rating="$BREAK_ON_RISK_RATING" --max-wait-minutes="$MAX_WAIT_MINUTES" $EXTRA $ASSET_TYPE $TARGET

Example of creating a scan without breaking the pipeline for any risk rating:

image: python:3.10

pipelines:
  default:
    - step:           # step to build Android debug application
          name: Android Debug Application
          caches:
            - gradle
          script:
            - ./gradlew assembleDebug
    - step:
        name: Test
        caches:
          - pip
        script:
          - pip install ostorlab[cli]
          - export OSTORLAB_API_KEY=$SECRET_OSTORLAB_API_KEY
          - export SCAN_TITLE=SCAN_TITLE
          - export SCAN_PROFILE='fast_scan'
          - export TARGET="app/build/outputs/apk/debug/app-debug.apk" # replace with your target application path
          - export ASSET_TYPE="android-apk"
          - ostorlab --api-key="$OSTORLAB_API_KEY" ci-scan run  --title="$SCAN_TITLE" --scan-profile="$SCAN_PROFILE"  $EXTRA $ASSET_TYPE $TARGET

4. SBOM/Lock Files (Optional)

You can enhance the scan analysis by supplying SBOM (Software Bill of Materials) or lock files. Use the extra input to pass --sbom and specify the file you want to include. For example, to add a package-lock.json file, use the following example:

image: python:3.10

pipelines:
  default:
    - step:           # step to build Android debug application
          name: Android Debug Application
          caches:
            - gradle
          script:
            - ./gradlew assembleDebug
    - step:
          name: Ostorlab Security Scan
          caches:
            - pip
          script:
            - pip install ostorlab[cli]
            - export OSTORLAB_API_KEY=$SECRET_OSTORLAB_API_KEY
            - export SCAN_TITLE=SCAN_TITLE
            - export SCAN_PROFILE='fast_scan'
            - export BREAK_ON_RISK_RATING="HIGH"
            - export MAX_WAIT_MINUTES=15
            - export EXTRA= --sbom package-lock.json # add sbom file
            - export TARGET="app/build/outputs/apk/debug/app-debug.apk" # replace with your target application path
            - export ASSET_TYPE="android-apk"
            - ostorlab --api-key="$OSTORLAB_API_KEY" ci-scan run  --title="$SCAN_TITLE" --scan-profile="$SCAN_PROFILE"  --break-on-risk-rating="$BREAK_ON_RISK_RATING" --max-wait-minutes="$MAX_WAIT_MINUTES" $EXTRA $ASSET_TYPE $TARGET

Here is a list of supported files that you can include:

  • buildscript-gradle.lockfile
  • Cargo.lock
  • composer.lock
  • conan.lock
  • Gemfile.lock
  • go.mod
  • gradle.lockfile
  • mix.lock
  • Pipfile.lock
  • package-lock.json
  • packages.lock.json
  • pnpm-lock.yaml
  • poetry.lock
  • pom.xml
  • pubspec.lock
  • requirements.txt
  • yarn.lock

5. Test Credentials (Optional)

Ostorlab supports performing authenticated testing with login/password or custom inputs. To pass test credentials, use the extra input and specify --test-credentials-***. For example, to add login/password and custom credentials with names and values, use the following input:

extra: --test-credentials-login test_login --test-credentials-password test_pass --test-credentials-role ci_role --test-credentials-name foo1 --test-credentials-value bar1 --test-credentials-name foo2 --test-credentials-value bar2

Required Parameters

When configuring the Bitbucket action, you must provide the following options:

  • scan_profile: Specifies the scan profile ('fast_scan' or 'full_scan').
  • asset_type: Specifies the target asset ('android-apk', 'android-aab', or 'ios-ipa').
  • target: The target file to scan.
  • ostorlab_api_key: Your Ostorlab API Key.
  • scan_title (optional): A scan title to identify your scan.
  • break_on_risk_rating (optional): Fail the action if the risk rating matches or is higher than the provided value.
  • max_wait_minutes (optional): The maximum wait time in minutes before the scan times out.
  • extra (optional): Extra argument flags to pass to the Ostorlab ci-scan CLI, commonly used for passing scan test credentials.