BitBucket CI

nctl integrates and works with the BitBucket CI and allows scanning against security team-defined policies which ensures addressing of misconfigurations in the pipeline alongside other tests and vulnerability scanning. The nctl scan step will trigger the scan. In case of a failure, the entire build can be configured to fail. This means that the test pipeline will fail, and the users will get quick feedback for their changes. The results of the pipeline are published to NCH for viewing.

NCH provides insights to platform administrators on overall compliance of different code repositories in their organization. Learn more about BitBucket CI pipelines and their configuration from this official documentation.

Understanding the BitBucket CI Workflow

To see pipeline scanning with BitBucket CI in action:

Install nctl in the BitBucket pipeline

Add the install nctl build to the bitbucket-pipelines.yml file in the repository. The build installs the nctl CLI and is stored as an artifact for future builds. The following code does that:

pipelines:
  default:
      - step:
          name: 'install nctl'
          script:
            - echo "Installing nctl.."
            - echo "Downloading and Installing NCTL 4.2.0"
            - download_url="https://nirmata-downloads.s3.us-east-2.amazonaws.com/nctl/nctl_4.2.0/nctl_4.2.0_linux_amd64.zip"
            - curl -L -o nctl.zip $download_url
            - unzip -o nctl.zip
            - echo "Verify Installation.."
            - chmod 755 ./nctl
            - ./nctl version
          artifacts:
            paths:
            - nctl

Scan Repository files for misconfiguration

The nctl-scan-repo build scans the configuration files available in the repository for any misconfigurations. The --policies argument points to the directory containing security policies.

Note: The policies can also be stored in a different BitBucket repository. Refer to the sample list of policies here.

After the execution of this build, the pipeline will fail if there are misconfigurations which will force the developer to debug and fix the issue at the source.

      - step:                  # This build scans config files for misconfigurations.
          name: 'nctl-scan-repo' # It only starts when the build in the install stage completes successfully.
          script:
            - echo "Running nctl scan.."
            - git remote set-url origin https://bitbucket.org/nirmata1/nctl-scan-demo/
            - git checkout main    # Checkout the branch of choice or use pipeline variables to specify the branch.
            - ./nctl login --url https://staging.nirmata.co --userid <USER_ID> --token <API_TOKEN>
            - ./nctl scan repository --policies Update

Note: Replace <USER_ID> and <API_TOKEN> with the NCH ID and token respectively.

This pipeline runs in two stages: install-nctl and scan. Both can be visualized in the BitBucket UI. The image below represents the same.

image