BitBucket CI
nctl integrates with BitBucket CI and allows scanning against security team-defined policies, which ensures misconfigurations are addressed in the pipeline alongside other tests and vulnerability scanning. The nctl scan step triggers the scan. In case of a failure, the entire build can be configured to fail. This means that the test pipeline will fail, and users will get quick feedback on their changes. The results of the pipeline are published to NCH for viewing.
NCH provides insights to platform administrators on the overall compliance of different code repositories in their organization. Learn more about BitBucket CI pipelines and their configuration in this official documentation.
Understanding the BitBucket CI Workflow
To see pipeline scanning with BitBucket CI in action:
Install nctl in the BitBucket pipeline
Add the install nctl build to the bitbucket-pipelines.yml file in your repository. The build installs the nctl CLI and stores it as an artifact for future builds. The following code demonstrates this:
pipelines:
default:
- step:
name: 'install nctl'
script:
- echo "Installing nctl.."
- echo "Downloading and Installing NCTL 4.2.0"
- download_url="https://nirmata-downloads.s3.us-east-2.amazonaws.com/nctl/nctl_4.2.0/nctl_4.2.0_linux_amd64.zip"
- curl -L -o nctl.zip $download_url
- unzip -o nctl.zip
- echo "Verify Installation.."
- chmod 755 ./nctl
- ./nctl version
artifacts:
paths:
- nctl
Scan Repository files for misconfigurations
The nctl-scan-repo build scans the configuration files in the repository for any misconfigurations. The --policies argument points to the directory containing security policies.
Note: The policies can also be stored in a different BitBucket repository. Refer to the sample list of policies here.
After this build executes, the pipeline will fail if there are misconfigurations, which will require the developer to debug and fix the issue at the source.
``