Use the Prisma Cloud App for Bitbucket Server

Secure your Bitbucket workflow by running IaC scans on your pull requests and checking them against Prisma Cloud’s comprehensive set of security policies.
The Prisma Cloud ™ app for Bitbucket Server allows you to perform IaC scans on Bitbuckets pull requests and check them against Prisma Cloud’s comprehensive set of policies. The plugin performs a full repository scan for the branch that the pull request was made on. If policy violations exceed the specified threshold, the pull request is blocked and a comment containing the security issues is displayed. The results generate within Bitbucket as a report and provides you with visibility into the security of your Bitbucket workflow.
  1. Install the Prisma Cloud app for Bitbucket Server.
    You must have administrator privileges to install apps on Bitbucket server.
    1. Launch a browser and go to the following URL:
      http://localhost:7990
      .
      If you used a different port number then replace
      7990
      with that number.
    2. Enter your login credentials and authenticate.
    3. Select
      Admin
      Manage apps
      Find new apps.
    4. Enter
      prisma cloud
      .
    5. Install
      and restart your Bitbucket server.
  2. Specify the settings for the Bitbucket app.
    You configure the Bitbucket app settings to connect it to your instance of Prisma Cloud.
    1. Select
      Users
      Projects
      Repositories
      , and then select the repository you want to scan.
    2. Select the gear icon and then
      Prisma Cloud Settings
      .
      • Prisma Cloud API URL
        —The URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. If the tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io, replace
        app
        in the URL with
        api
        . Refer to the Prisma Cloud REST API Reference for more details.
      • Prisma Cloud Access Key
        —Enables programmatic access to Prisma Cloud. To create an access key select
        Settings
        Access Keys
        Add New.
      • Prisma Cloud Secret Key
        —You should have saved this secret key when you generated it. You cannot view it on the Prisma Cloud web interface.
      • Prisma Cloud SCM Asset Name
        —The name of the
        assetName
        you want to scan. For example,
        bitbucket-build-test-1
        .
      • Prisma Cloud SCM Tag
        —The key-value pairs separated by commas which allows the build to be searched in the DevOps inventory UI of Prisma Cloud. Examples of valid tags;
        env:dev
        ,
        tag:value
        ,
        team:team-one
        .
      • Template Type
        —A template is a configuration management tool that is used to provision resources in the cloud. The templates supported are Terraform, AWS CloudFormation, and Kubernetes Templates. Enter the templates abbreviations as values, for example
        TF
        ,
        CFT
        , and
        K8S
        .
      • Template Version
        (Optional)—This field is only applicable if you entered
        TF
        in the Template Type field. See what versions of Terraform are supported.The value you enter will be a hint as the system will attempt to determine the correct version number. If the version number can’t be detected, then the system will use the value you entered.
    3. Save
      the settings and click
      Test Connection
      to confirm that your login credentials work.
  3. Configure the Failure Threshold.
    1. Specify the number of issues for each severity.
      Select
      Enabled
      next to
      Prisma Cloud IaC Scan
      to define the number of issues by severity.
      Set the High:
      x
      , Medium:
      y
      , Low :
      z
      , Operator:
      O
      , and Merge:
      m
      values. The variables
      x
      ,
      y
      , and
      z
      are the number of issues of each severity,
      O
      represents the logical operators OR and AND, and
      m
      , represents YES or NO for the merge request.
      For example:
      • To fail the pull request for any security issue detected—
        High
        : 0,
        Medium
        : 0,
        Low
        : 0,
        Operator
        : OR,
        Merge
        : no.
      • To never fail the pull request—
        High
        : 1000,
        Medium
        : 1000,
        Low
        : 1000,
        Operator
        : AND,
        Merge
        : yes.
      Comment Criteria
      and
      Task Criteria
      are two ways to show the report of the IaC scan to the end user. If the number of issues matches the values specified in the
      Comment Criteria
      then a comment will be created, and if the values matches a
      Task Criteria
      then a task will be created.
    2. Generate a pull request.
      Create a pull request by selecting the pull request icon. Enter the details for your pull request.
      An example of a pull request with a comment:
    An example of a pull request with tasks:
    The two tasks must be resolved in order for the pull request to be merged into the main branch.

Recommended For You