Skip to content

Bitbucket Pipelines

Add to bitbucket-pipelines.yml:

image: golang:1.21
pipelines:
default:
- step:
name: Secret Scanning
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --no-tui

Save findings as artifacts:

pipelines:
default:
- step:
name: Secret Scanning
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --json > redactyl-findings.json
artifacts:
- redactyl-findings.json
pipelines:
pull-requests:
'**':
- step:
name: PR Secret Scan
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --no-tui
pipelines:
default:
- step:
name: Build
services:
- docker
script:
- docker build -t myapp:$BITBUCKET_COMMIT .
- docker save myapp:$BITBUCKET_COMMIT > image.tar
artifacts:
- image.tar
- step:
name: Scan Image
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan image.tar --json > findings.json
artifacts:
- findings.json
definitions:
services:
docker:
memory: 2048
pipelines:
default:
- step:
name: Scan Helm Charts
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --helm ./charts --json > helm-findings.json
artifacts:
- helm-findings.json
pipelines:
branches:
main:
- step:
name: Full Scan
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --deep --no-tui
feature/*:
- step:
name: Quick Scan
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --staged --no-tui
pipelines:
schedules:
- schedule:
cron: '0 0 * * *'
branches:
- main
steps:
- step:
name: Nightly Scan
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --deep --json > nightly-findings.json
artifacts:
- nightly-findings.json

Set variables in Bitbucket settings:

pipelines:
default:
- step:
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --severity $REDACTYL_SEVERITY --no-tui

Speed up builds with caching:

pipelines:
default:
- step:
name: Secret Scanning
caches:
- go
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --no-tui
definitions:
caches:
go: /go/pkg/mod

Continue on findings (for visibility without blocking):

pipelines:
default:
- step:
name: Secret Scanning
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --json > findings.json || true
after-script:
- cat findings.json
artifacts:
- findings.json
pipelines:
default:
- parallel:
- step:
name: Secret Scan
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --no-tui
- step:
name: Build
script:
- npm install
- npm run build