How to configure Bitbucket with DigitSec
Please follow these steps to integrate DigitSec to scan your Bitbucket repository based on Bitbucket events.
-
Please retrieve an Bitbucket Secret specific to your DigitSec Workspace. Please use a browser to go to https://s4.digitsec.com and sign in.
-
After logging in, find the Workspace you wish to scan and click on the title to access the Dashboard. Use the Workspace navigation and sub-tav navigation to select Integration --> Bitbucket.
-
Before you copy the Bitbucket Secret on this screen, visit the API tab and confirm that the token is still valid. If not, please regenerate it. Once that is complete, return to the BitBucket tab and use the clipboard icon to copy the field contents. Please leave this browser window open on this page as you will return to it in Step 8.
-
Access Repo Access Tab
Log into Bitbucket. Using the sidebar on the left, find 'Repositories' and click the gear icon next to the repository name to access the repository settings. See the screenshot below as an example:
-
Within the selected repository settings, expand the Security sub-tab
on the
navigation bar --> Click on Access Tokens. This will open an action
pane
showing a list of tokens for the selected repository. Use the blue button
to Create Access Token.
-
In the Create New Token Dialog, complete as appropriate:
-Name: You may enter anything in this input.
-Expiry: Bitbucket allows up to 365 days.
-Scopes: Please choose "Pull Requests" and Read+Write
When you click the Create button, Bitbucket will present you with the generated token. Copy this to a notepad for future access, as it will not be displayed again.
- Once you are on the repository under question, you should see a screen similar to the one below showing the files in your repo:
- Examine your browser URL address bar. You will see a string similar to the image below. The circled portion indicates how to identify your Bitbucket Workspace Id.:
-
Open a new browser window and log into Bitbucket. Find the repository you wish to integrate with DigitSec and use the Repository Settings screen to find Webhooks.
-
. Click on the Webhooks to access the following screen.
-
Click the Add webhook button.
-
This will create a webhook for this repository. Enter a useful name in the Title field. Your webhook will be pointed at https://s4.digitsec.com/webhooks/bitbucket/<bitbucketSecret>. This URL (including the Bitbucket secret) has already been copied to the clipboard from step 3. So, you can paste it in the URL field below.
Note: DigitSec advises that you select the Pull requests: created/updated triggers. This will trigger the webhook on all major pull request events and is the intended way for using this integration.
-
Return to the browser window that has your DigitSec/Bitbucket settings.
Use the following data to complete the form:
-Bitbucket Secret: This data is pre-populated by DigitSec
-Repository Name: This value should be an exact match to your selected Bitbucket repository. It is case-sensitive.
-Butbucket username: This is the Bitbucket account username.
-Repository Access Token: Paste the token that was generated and captured by you in Step 6 above.
-
Click Verify and Save.
-
To verify this is working, please take an action that will activate the
trigger
you selected. Once you have finished this, the scan will have already
begun.
Scans typically take between 5 and 15 minutes. DigitSec
will send a notification email once the scan has completed which will
include
a link to your Scan Findings Detail Report.
-
The results from DigitSec will show up in the pull request comments as follows:
Bitbucket Workspace Id
Creating a Webhook and App password