Using Bitbucket Pipelines
This article shows you how to track Bitbucket repositories using the Tidelift Subscription. We first create a repository in Tidelift and generate an API token. We next connect Bitbucket Pipelines to the Tidelift Subscription subscriber API as a build step. Finally, we set appropriate variables in Bitbucket to keep private token information secure.
To get started, you will need:
- A Tidelift Subscription account (Start your free trial)
- An Atlassian account with a corresponding Bitbucket instance
1. Create a repository in Tidelift and generate an API token
After logging into the Tidelift Subscription dashboard, select Repositories and select Track New Repository. Enter your project name as it appears in Bitbucket when prompted:
Close the Upload manifest files dialog to skip manually uploading manifests
Select the Settings tab on the left navigation, select API Keys then select Create a New Repository Key
Select Create API Key next to your project
Select “Show Token Information” and note the token and team-name/project-name
In the above example:
- token = my-super-secret-token
- team-name = my-tidelift-team
- project-name = my-bitbucket-project
2. Connect Bitbucket Pipelines to the Tidelift Subscription subscriber API
Tidelift leverages the Bitbucket Pipelines feature to call the Tidelift Subscription service during your build process as a build step. To incorporate Tidelift into your build process:
Copy the Tidelift Subscription integration script for Bitbucket into the root of your project folder
As with ANY script, please take a moment to review the integration script
Create a bitbucket-pipelines.yml file in your repository’s root directory if it does not already exist
Include a step in your bitbuckets-pipeline.yml named tidelift-scan to call the Tidelift Subscription integration script. The script requires the curl and jq packages. An example step is documented here: Example Bitbucket Pipeline
Be sure to replace your-tidelift-team-name with your Tidelift team name and your-tidelift-repository-name with your Tidelift repository name.
3. Set private variables in Bitbucket for token information
From your Bitbucket repository, Select Settings > Repository variables (under Pipelines)
Create a new variable called TL_TOKEN and paste in the Token value you generated at the end of step 1.Select the Secured check-mark to keep this token secure.
🙌 Woo hoo! 🙌 You have successfully configured Bitbucket to work with the Tidelift Subscription
Reviewing your scan results in Bitbucket
After the tidelift-scan step of your Pipeline executes, you will see when your builds fail or succeed. The fail or pass is determined by your Tidelift open source policy. You can see the default policy and learn how to configure this policy to meet the needs of your organization.
In the above example, John ran a build where he inadvertently added a dependency with a security vulnerability. Tidelift automatically failed the build, preventing the vulnerability from reaching production. After removing the affected dependency, his build succeeded.