Bitbucket Pipelines
Basic Pipeline
Section titled “Basic Pipeline”Add to bitbucket-pipelines.yml:
image: golang:1.21
pipelines: default: - step: name: Secret Scanning script: - go install github.com/varalys/redactyl@latest - redactyl scan --no-tuiWith Artifacts
Section titled “With Artifacts”Save findings as artifacts:
pipelines: default: - step: name: Secret Scanning script: - go install github.com/varalys/redactyl@latest - redactyl scan --json > redactyl-findings.json artifacts: - redactyl-findings.jsonPull Request Scanning
Section titled “Pull Request Scanning”pipelines: pull-requests: '**': - step: name: PR Secret Scan script: - go install github.com/varalys/redactyl@latest - redactyl scan --no-tuiContainer Scanning
Section titled “Container Scanning”pipelines: default: - step: name: Build services: - docker script: - docker build -t myapp:$BITBUCKET_COMMIT . - docker save myapp:$BITBUCKET_COMMIT > image.tar artifacts: - image.tar
- step: name: Scan Image script: - go install github.com/varalys/redactyl@latest - redactyl scan image.tar --json > findings.json artifacts: - findings.json
definitions: services: docker: memory: 2048Helm Chart Scanning
Section titled “Helm Chart Scanning”pipelines: default: - step: name: Scan Helm Charts script: - go install github.com/varalys/redactyl@latest - redactyl scan --helm ./charts --json > helm-findings.json artifacts: - helm-findings.jsonBranch-Specific Scanning
Section titled “Branch-Specific Scanning”pipelines: branches: main: - step: name: Full Scan script: - go install github.com/varalys/redactyl@latest - redactyl scan --deep --no-tui
feature/*: - step: name: Quick Scan script: - go install github.com/varalys/redactyl@latest - redactyl scan --staged --no-tuiScheduled Scans
Section titled “Scheduled Scans”pipelines: schedules: - schedule: cron: '0 0 * * *' branches: - main steps: - step: name: Nightly Scan script: - go install github.com/varalys/redactyl@latest - redactyl scan --deep --json > nightly-findings.json artifacts: - nightly-findings.jsonUsing Repository Variables
Section titled “Using Repository Variables”Set variables in Bitbucket settings:
pipelines: default: - step: script: - go install github.com/varalys/redactyl@latest - redactyl scan --severity $REDACTYL_SEVERITY --no-tuiCaching
Section titled “Caching”Speed up builds with caching:
pipelines: default: - step: name: Secret Scanning caches: - go script: - go install github.com/varalys/redactyl@latest - redactyl scan --no-tui
definitions: caches: go: /go/pkg/modFail Conditions
Section titled “Fail Conditions”Continue on findings (for visibility without blocking):
pipelines: default: - step: name: Secret Scanning script: - go install github.com/varalys/redactyl@latest - redactyl scan --json > findings.json || true after-script: - cat findings.json artifacts: - findings.jsonParallel Steps
Section titled “Parallel Steps”pipelines: default: - parallel: - step: name: Secret Scan script: - go install github.com/varalys/redactyl@latest - redactyl scan --no-tui
- step: name: Build script: - npm install - npm run build