Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,364,679
Community Members
 
Community Events
168
Community Groups

How does Bamboo handle CyberSecurity checks like GitLab does?

How does Bamboo handle CyberSecurity checks like GitLab does?

I mean for Java, Python, PHP and other library/dependencies and code?

 

2 answers

Hi @datasecmx ,

How does Bamboo handle CyberSecurity checks like GitLab does?

Considering that GitLab has its representative in the Atlassian family as Bitbucket Cloud (repository Git) + Bitbucket Pipeline (CI/CD tool), Bamboo does not provide the same features.

Source code validation and vulnerability checks can happen at the repository level in the in Bitbucket Cloud, Bitbucket Server and/or Bitbucket DataCenter, and other source code coverage in Bamboo

There are some plugins responsible for doing this source code coverage (security vulnerability check) and they are listed on https://www.atlassian.com/blog/bitbucket/bitbucket-server-code-insights

GitLab also provides functionality in some extent https://docs.gitlab.com/ee/user/application_security/dependency_scanning

When it comes to Atlassian Bamboo, you have the option of running builds / deployments against a Bamboo agent (Local, Remote, Elastic - EC2) or a Docker container. If using the latest, you can review vulnerability checks when building your Docker image(s) but this happens outside Bamboo and you could simply review that information as a report in Bamboo (not a ready feature)

Atlassian Bamboo simply make use of a Docker image specified in your job or environment and will not warn you about any vulnerability on this regards because it trust that you have created a container from a Docker image that has been previously validated.

Now, when it comes to source code in Bamboo, there are some plugin that can provide you with source code vulnerability check, but this is simply an extension to the code / builder you already have (e.g NPM provides you with npm audit command - https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities)

Some time ago, SourceClear for Bamboo help you identify and fix security vulnerabilities in the open source software you use. Even though this plugin is marked by the vendor SourceClear to be supported until Bamboo v5.14.5, you could get in touch with the plugin vendor reviewing if they have any plans on continue on extending the feature to latest Bamboo versions.

Hope the above helps.

Kind regards,
Rafael

0 votes

Hi @datasecmx,

I'm not sure If I'm following you on this.
Can you give me more details or references on what you mean by CyberSecurity?

This will help me to look for the information you want.

For instance, in a Java app there is a plugin for library dependency checks , malicious code, dynamic and static tests, etc...

Hi @datasecmx

I asked @Rafael Pinto Sperafico (a community leader) with more knowledge in this area to help with this one. I'm glad that he found some time to share his wisdom with us. I hope it helps.

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events