How to configure Bitbucket with S4
Please follow these steps to set up S4 to scan your Bitbucket repository based on Bitbucket events.
- First, you will need to retrieve an S4 Web Secret specific to your Salesforce org. Please use a browser to go to https://s4.digitsec.com and sign in.
- After logging in, find the Salesforce org you wish to scan. Click on the collapsible function menu to select "Edit Org Info"
- On the Edit Org information page, click on the Bitbucket tab. Next, click on CREATE BITBUCKET REPO button. The screen should appear as the example below. Your Bitbucket secret should appear in cleartext. Please use the clipboard icon to copy the field contents. Please leave this browser window open on this page as you will return to it in Step 8.
- Open a new browser window and log into Bitbucket. Find the repository you wish to integrate with S4 and use the Repository Settings screen to find Webooks.
- . Click on the Webhooks and to access the following screen.
- Click the Add webhook button.
- We are going to create a webhook for this repository. You can enter a useful name in the Title field. Your webhook will be pointed at https://s4.digitsec.com/webhooks/bitbucket/<bitbucketSecret>. Remember your S4 Bitbucket Secret has been copied to your clipboard, so you can paste the S4 URL in the previous sentence to prepend the secret. Your Webook URL should be similar to the diagram below.
Note: We also advise that you select the Pull requests: created/updated triggers. This will trigger the webhook on all major pull request events and is the intended way for using this integration. You may still be able to run scans on other triggers but it could end up causing errors while posting results.
- You must now create an App Password. Go to the Bitbucket account settings and click "Personal Settings".
- On the page that loads up, please select App passwords. This will bring up a new screen. Please click the Create app password button. You will now see the screen below:
- Please designate a label for the app password and check Read and Write permissions for Pull Requests. Click the Create button which will refresh the page to show the app password. Please copy it to the clipboard. You may wish to also save it to a local file.
- Return to the browser window you left open in Step 3 that shows the Bitbucket tab of the S4 Salesforce org Info Screen. Enter the Repository Name (exactly as you did on bitbucket) and your Bitbucket Username in the corresponding fields. If you want S4 to create a new Pull Request based off of your current branch please select the check box for Is Pull Request Required. Finally, paste the App Password from the previous step into the correct field. Click Verify and Save.
- To verify this is working, please take an action that will activate the trigger you selected. Once you have finished this, the scan will have already begun. Scans typically take between 5 and 15 minutes. S4 will send a notification email once the scan has completed which will include a link to your S4 Findings Detail Report.