Elevate your DevSecOps practices with new security scanning Pipes
You just finished writing your CI/CD pipeline script. It works, your application builds and runs, but is your application secure?
Every component of your application such as code, dependencies, and deployment environments offer malicious actors additional attack vectors. You need to be proactive to keep your applications secure. Security at every stage of your CI/CD pipeline safeguards against unauthorized access, making your deployments safer and faster.
To support this, Bitbucket Pipelines now includes new native DevSecOps capabilities in a series of off-the-shelf Pipes that cover secret scanning, infrastructure-as-code scanning, and dependency scanning to help ensure your CI/CD pipelines keep your applications secure.
This new set of Pipes expand on the ability to build in security scanning through third party security apps such as Snyk and SonarCloud, among other options. These third party integrations will continue to be available, but now you can also build security into your CI/CD pipelines natively within Bitbucket without requiring a separate 3rd party service.
Built on industry leading open source tools & vulnerability databases, our three security scanning pipes make it simple to ensure security with your pipelines. You can add these Pipes to your pipeline yaml files like any other Bitbucket pipe. Each security scanning pipe is fully integrated into Pipelines Code Insights Report functionality, allowing you to generate Security Vulnerability reports inside Bitbucket and see inline annotations on Pull Requests (PRs) showing you where vulnerabilities have been found.
This deep integration with Bitbucket Cloud’s existing workflow tools means you can also ensure PRs are blocked from being merged if any open vulnerability is detected on the PR.
Need help using Pipes?
Bitbucket Pipelines has a whole team dedicated to growing and supporting our library of Pipes. If you have any questions or need any help, please post a question in the Pipelines community space and the team will be there to help.
Extend policies like this to the entire organization with Dynamic Pipelines. You can standardize and enforce the implementation of these new native security scanning tools to all your developers, making migration from existing tools a “zero-touch” process for your teams.
This kind of automation elevates your security posture while allowing you to deliver software quickly. It provides a consistent way to address vulnerabilities, ensuring application security it built in.
Secret scanning pipe
This Pipe leverages the gitleaks secret pattern registry to provide industry-leading secret scanning capabilities. Gitleaks is a SAST tool that detects over 400 different types of hardcoded secrets like passwords, API keys, and tokens in git repos.
Infrastructure as code scanning pipe
Scan your Infrastructure as Code (IaC) configuration files to ensure your pipeline follows security best practices. This Pipe leverages the industry leading KICS scanning tool to provide IaC scanning capabilities natively in Bitbucket.
Dependency scanning pipe
Check dependencies utilized by your code for over 240,000 vulnerabilities to prevent supply-chain attacks and avoid vulnerabilities in your software. This Pipe scans your project's dependencies and detects publicly disclosed vulnerability associated CVE entries.
Start using DevSecOps best practices with security scanning pipes
We’re excited for you to try out these new security pipes in your CI/CD pipelines. They are the most accessible tools to help to improve your CI/CD security. Let us know what you think, we always read your feedback!
Was this helpful?
Thanks!
Scott White
0 comments