Automating scanning with Bitbucket Pipelines
Adding a script to your Bitbucket pipeline can automate security scans in Invicti Enterprise. The script automatically triggers a scan whenever you commit any changes.
This document provides guidance on how to automate security scanning in Invicti Enterprise with Bitbucket Pipelines. This method allows you to trigger Invicti Enterprise scans directly within your Bitbucket workflow, automating security testing as part of your CI/CD process.
NOTE: To configure Invicti Enterprise to send detected vulnerabilities as issues in Bitbucket, refer to our detailed guide on integrating Invicti Enterprise with Bitbucket. The integration guide provides step-by-step instructions on setting up and managing the integration, and exporting vulnerabilities to Bitbucket projects. It focuses on using the Invicti Enterprise user interface for manual actions, whereas this document covers a more automated approach through scripting. |
How to automate scanning in Invicti Enterprise with Bitbucket Pipelines
There are four main steps to this process. Before following these steps, ensure you have prepared the prerequisites listed below.
Prerequisites
- Bitbucket repository with a pipeline set up. (Bitbucket offers a "Starter Pipeline Template" if you need to set one up).
- User ID and API credentials from your Invicti Enterprise account. For instructions on how to retrieve these, refer to our API Settings Overview.
Step 1: Access the pipeline template
Navigate to your project in Bitbucket and locate the pipeline configuration (typically a 'bitbucket-pipelines.yml' file).
Step 2: Add Invicti Enterprise scan step and customize script variables
Insert a new step within your pipeline definition template where you want the Invicti Enterprise scan to occur. In this step, include a script that uses curl to interact with the Invicti Enterprise API. In the provided example script, replace the placeholders in the script with your specific information:
- <PROFILE NAME>: The name of the scan profile configured in your Invicti Enterprise account (which defines the scan settings).
- <TARGET URL>: The URL of the web application you want to scan.
- For an EU instance, use ‘eu.netsparker.cloud’; for a US instance, use ‘netsparkercloud.com’ in the script.
image: atlassian/default-image:3 pipelines: default: - parallel: - step: name: 'Invicti' script: - echo "Invicti Scan will trigger" - step: name: 'Deployment to Staging' deployment: staging script: - curl -u "$USERID:$APITOKEN" -d "{\"ProfileName\":\"<PROFILE NAME>\",\"TargetUri\":\"<TARGET URL>\"}" -H "Content-Type:application/json" -X POST https://www.netsparkercloud.com/api/1.0/scans/newwithprofile |
Step 3: Define environment variables
Instead of hardcoding your USER ID and API TOKEN credentials directly in the script, Bitbucket allows you to define repository variables.
- Go to your Bitbucket repository settings and select Add variables.
- Create variables named USERID (add your Invicti Enterprise User ID) and APITOKEN (add your Invicti Enterprise API Token) to securely store your Invicti Enterprise credentials there.
- Modify the curl command in your script (in step 2 of this document) to use these variables (e.g., $USERID and $APITOKEN) for improved security.
Step 4: Commit and trigger
Commit the changes to your ‘bitbucket-pipelines.yml file’. This commit will trigger the pipeline, which will execute your script and initiate an Invicti Enterprise scan on the specified URL using the selected scan profile.
