Using Bitbucket Pipelines

This article shows you how to track Bitbucket repositories using the Tidelift Subscription. We first create a Project in Tidelift and generate an API token. We next connect Bitbucket Pipelines to the Tidelift Subscription subscriber API as a build step. Finally, we set appropriate variables in Bitbucket to keep private token information secure.

To get started, you will need:

  1. A Tidelift Subscription account (Start your free trial)
  2. An Atlassian account with a corresponding Bitbucket instance

1. Create a Project in Tidelift and generate an API token

After logging into the Tidelift Subscription dashboard, select Projects and select Track New Project. Enter your project name as it appears in Bitbucket when prompted. Select the Catalog to use or leave the default Organization Catalog.

Close the Upload manifest files dialog to skip manually uploading manifests

Select the Projects actions and settings gear on the left navigation, select Get Project Key then select Create Project Key.

Select Create API Key next to your project

Copy the CI/CD usage API_KEY and note the Organization-name/project-name

In the above example:

  • Organization-name = "Katz Education"
  • project-name = my-bitbucket-project

2. Connect Bitbucket Pipelines to the Tidelift Subscription subscriber API

Tidelift leverages the Bitbucket Pipelines feature to call the Tidelift Subscription service during your build process as a build step. To incorporate Tidelift into your build process:

Copy the Tidelift Subscription integration script for Bitbucket into the root of your project folder

As with ANY script, please take a moment to review the integration script

Create a bitbucket-pipelines.yml file in your repository’s root directory if it does not already exist

Include a step in your bitbuckets-pipeline.yml named tidelift-scan to call the Tidelift Subscription integration script. The script requires the curl and jq packages. An example step is documented here: Example Bitbucket Pipeline

Be sure to set the TL_TEAM environment variable to "team/<your-organization-name>"  and TL_Project with your Tidelift Project name. Additionally, specify the manifest files for your project that you want to analyze. In the above example, line 11 specifies the project's Gemfile and Gemfile.lock.

3. Set private variables in Bitbucket for token information

From your Bitbucket repository, Select Settings > Repository variables (under Pipelines)

Create a new variable called TL_TOKEN and paste in the Token value you generated at the end of step 1.Select the Secured check-mark to keep this token secure.

🙌 Woo hoo! 🙌 You have successfully configured Bitbucket to work with the Tidelift Subscription

Reviewing your scan results in Bitbucket

After the tidelift-scan step of your Pipeline executes, you will see when your builds fail or succeed. The fail or pass is determined by your Tidelift open source policy. You can see the default policy and learn how to configure this policy to meet the needs of your organization.

In the above example, John ran a build where he inadvertently added a dependency with a security vulnerability. Tidelift automatically failed the build, preventing the vulnerability from reaching production. After removing the affected dependency, his build succeeded.