DevSecOps with Atlassian Bitbucket
DevSecOps with Bitbucket
This article was originally published at ShiftLeft Blog.
In my inaugural post on DevSecOps with GitHub, I made an assertion that achieving good productivity is a continuous journey and a shared responsibility. While technology and security vendors offer good secure defaults out-of-the-box, an effective understanding of product capabilities along with an optimal process will improve both developer productivity and security.
Conversations involving productivity and collaboration would often include Atlassian branded products in some form. Products such as Jira and Bitbucket are often analogous with agile workflows and technology teams. On a higher level, Atlassian products are known for:
- Integrated experience where data can be used, linked, queried and shared across products
- A good UX with powerful no-code and low-code search, workflow and reporting capabilities
ShiftLeft Inc is a good partner of Atlassian ever since our startup days in Santa Clara. The Jira integration in our NextGen static analysis platform is one of the best in the industry. In this blog, I explore Bitbucket from a DevSecOps perspective and share my observation along with working scripts and code snippets for the curious.
Bitbucket IaC with Terraform
Bitbucket has a feature rich REST and JavaScript API and a functional terraform provider which can be used with only an app password. Below are some use cases that are possible with this terraform provider:
1. Rolling out branch protection policies across repositories
Branch protection policies such as enforcing merge checks and restricting direct pushes are a breeze with the branch_restriction terraform resource.
2. Creating rolling repository secrets
With a bit of for_each terraform magic, rolling out repository secrets across all the repositories is simple as shown in the code snippet below. In fact, the snippet is from our recommended terraform module for automating ShiftLeft deployments for Bitbucket teams.
Master the Pipelines configuration
Bitbucket supports a single pipeline configuration file which can be used for all stages of the DevOps life cycle — from build, test, static analysis till deployment. There are a few techniques that can be used to improve the DevOps workflow.
1. Use YAML anchors and parallel steps
YAML anchors is an interesting concept to encourage reusability within a YAML configuration file. Not only does it reduce copy-paste in the same file, but it also helps produce reusable configurations that can be shared across applications. When combined with parallel steps there is opportunity to achieve both maintainability and performance.
In the above example, four build steps are defined:
- Build microservices using maven
- Build React app using yarn
- ShiftLeft analysis for Java
- ShiftLeft analysis for JavaScript/TypeScript
In the pipelines, the definitions are re-used in various fashions depending on the workflow.
- For pull-requests to master branch, both the microservice and the React frontend application is built. ShiftLeft analysis is then performed in parallel to reduce overall time.
- For feature branches, only the backend application is built. ShiftLeft analysis is available on a needed basis with a manual trigger depending on the developer’s preference.
While the example is from a ShiftLeft customer workflow, it demonstrates best practices and code reuse. Without YAML anchor, the same build and analyze commands would be copy-pasted numerous times making the configuration unnecessarily long.
2. Use local proxy to avoid app passwords
Bitbucket exposes a proxy server at http://localhost:29418 and for docker images at http://host.docker.internal:29418. The proxy server can be used to make authenticated REST API requests without the need for any app password as shown.
3. Explore Bitbucket pipes and Code insights
Pipes are custom docker-based build steps that offer additional functionality to the pipelines. Code insights on the other hand is useful for annotating pull requests and providing metrics based on automation tool reports. An official Bitbucket pipe for ShiftLeft is a highly requested feature and one we are actively exploring. Below is an example python script that was developed as part of a PoC to showcase ShiftLeft NG SAST integration with Bitbucket Code insights.
The script can be used as an example to build Code insights integration for any other JSON based reports. Save this script as sl-insights.py in your repo. You can then invoke this from the pipelines as shown:
Screenshot shows the ShiftLeft NextGen Analysis results for a sample Pull Request execution. Incidentally, this script is a way to achieve code insights integration without building a pipe and is useful for PoC purposes.
Closing Thoughts
By limiting only to Bitbucket the blog doesn’t cover numerous DevOps and productivity features found in other Atlassian products: Jira Automation, upcoming Jira — Bitbucket code integration, automatic Jira issue creation from Code insights and so on. As a developer, I have always enjoyed reading the git workflow documentation from Atlassian developers. As a technology partner, I continue to be amazed by the creativity, integration and uniqueness offered by Bitbucket in an otherwise crowded marketplace.
Is there any Bitbucket DevSecOps tips that you would like to share? Please tweet or DM me on Twitter.
DevSecOps with Atlassian Bitbucket was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Prabhu Subramanian. Read the original post at: https://blog.shiftleft.io/devsecops-with-atlassian-bitbucket-8023b1e2284b?source=rss----86a4f941c7da---4
