How to configure Bitbucket with S4
Please follow these steps to set up S4 to scan your Bitbucket repository based on Bitbucket events.
- Please retrieve an S4 Web Secret specific to your Salesforce org. Please use a browser to go to https://s4.digitsec.com and sign in.
- After logging in, find the Salesforce org you wish to scan. Click on the collapsible function menu to select Edit Org Info
- On the Edit Org information page, click on the Bitbucket tab. Next, click on CREATE BITBUCKET REPO button. The screen should appear as the example below. The Bitbucket secret for this Org should appear in cleartext. Please use the clipboard icon to copy the field contents. Please leave this browser window open on this page as you will return to it in Step 8.
How to find your Repository name, Workspace Id and Bitbucket username:
- Once you log in to bitbucket the first screen that is seen has a title bar as show below:
- Select Repositories, this will open the screen below:
The repository names are listed in bold under the Summary heading.
- Click on the Profile and Settings tab shown on the top right as follows:
- On the drop down that opens up, click Personal Settings.
- The following screen comes up which shows the username under the Bitbucket profile settings
- Once you are on the repository under question, you should see a screen like below showing the files in your repo:
- Please examine your brower URL address bar. You will see a string similar to the image below. The circled portion indicates how to identify your Workspace Id.:
Creating a Webhook and App password
- Open a new browser window and log into Bitbucket. Find the repository you wish to integrate with S4 and use the Repository Settings screen to find Webhooks.
- . Click on the Webhooks to access the following screen.
- Click the Add webhook button.
- You will create a webhook for this repository. You can enter a useful name in the Title field. Your webhook will be pointed at https://s4.digitsec.com/webhooks/bitbucket/<bitbucketSecret>. This URL (including the Bitbucket secret) has already been copied to the clipboard from step 3. So, you can paste it in the URL field below.
Note: DigitSec advises that you select the Pull requests: created/updated triggers. This will trigger the webhook on all major pull request events and is the intended way for using this integration.
- You must now create an App Password. Go to the profile and setting tab in the bottom left and click Personal Settings.
- On the page that loads up, please select App passwords. This will bring up a new screen. Please click the Create app password button. You will now see the screen below:
- Please designate a label for the app password and check Read and Write permissions for Pull Requests as shown above. Click the Create button which will refresh the page to show the app password. Please copy it to the clipboard. You may wish to also save it to a local file as it will not be visible again.
- Return to the browser window you left open in Step 3 that shows the Bitbucket tab of the S4 Salesforce org Info Screen. Enter the Repository Name (exactly as you have it on bitbucket), your Bitbucket Username and your Workspace Id in the corresponding fields. If you want S4 to create a new Pull Request based off of your current branch please select the check box for Is Pull Request Required.
Finally, paste the App Password from the previous step into the correct field.
Click Verify and Save.
- To verify this is working, please take an action that will activate the trigger you selected. Once you have finished this, the scan will have already begun. Scans typically take between 5 and 15 minutes. S4 will send a notification email once the scan has completed which will include a link to your S4 Findings Detail Report.
- The results from S4 will show up in the pull request comments as follows: