Using Bitbucket Pipelines

This article shows you how to track Bitbucket repositories using the Tidelift Subscription. We first create a repository in Tidelift and generate an API token. We next connect Bitbucket Pipelines to the Tidelift Subscription subscriber API as a build step. Finally, we set appropriate variables in Bitbucket to keep private token information secure.

To get started, you will need:

  1. A Tidelift Subscription account (Start your free trial)
  2. An Atlassian account with a corresponding Bitbucket instance

1. Create a repository in Tidelift and generate an API token

After logging into the Tidelift Subscription dashboard, select Repositories and select Track New Repository. Enter your project name as it appears in Bitbucket when prompted:

Close the Upload manifest files dialog to skip manually uploading manifests

Select the Settings tab on the left navigation, select API Keys then select Create a New Repository Key

Select Create API Key next to your project

Select “Show Token Information” and note the token and team-name/project-name

In the above example:

  • token = my-super-secret-token
  • team-name = my-tidelift-team
  • project-name = my-bitbucket-project

2. Connect Bitbucket Pipelines to the Tidelift Subscription subscriber API

Tidelift leverages the Bitbucket Pipelines feature to call the Tidelift Subscription service during your build process as a build step. To incorporate Tidelift into your build process:

Copy the Tidelift Subscription integration script for Bitbucket into the root of your project folder

As with ANY script, please take a moment to review the integration script

Create a bitbucket-pipelines.yml file in your repository’s root directory if it does not already exist

Include a step in your bitbuckets-pipeline.yml named tidelift-scan to call the Tidelift Subscription integration script. The script requires the curl and jq packages. An example step is documented here: Example Bitbucket Pipeline

Be sure to replace your-tidelift-team-name with your Tidelift team name and your-tidelift-repository-name with your Tidelift repository name.

3. Set private variables in Bitbucket for token information

From your Bitbucket repository, Select Settings > Repository variables (under Pipelines)

Create a new variable called TL_TOKEN and paste in the Token value you generated at the end of step 1.Select the Secured check-mark to keep this token secure.

🙌 Woo hoo! 🙌 You have successfully configured Bitbucket to work with the Tidelift Subscription

Reviewing your scan results in Bitbucket

After the tidelift-scan step of your Pipeline executes, you will see when your builds fail or succeed. The fail or pass is determined by your Tidelift open source policy. You can see the default policy and learn how to configure this policy to meet the needs of your organization.

In the above example, John ran a build where he inadvertently added a dependency with a security vulnerability. Tidelift automatically failed the build, preventing the vulnerability from reaching production. After removing the affected dependency, his build succeeded.

Still need help? Contact Us Contact Us