Knowledge Base

Bitbucket

Bitbucket-blue

Description

Bitbucket is a source code version control tool used by engineering teams to manage code. Integrating with Bitbucket will create an inventory of your code repos in Comply and run automations to ensure they are configured securely.

Benefits

Up-to-date asset inventory
Not all of your code repos will be in scope of your ISMS. By maintaining this list over time, you’ll be able to more quickly react to requests from auditors and customers when they are investigating your SDLC policies. Additionally, you can leverage procedures to automatically trigger processes when code repos are added or removed from Bitbucket (e.g. conduct a risk analysis when a code repo is created or remove sensitive data the code repo was utilizing after it’s removed).

Automatic SDLC monitoring and evidence
We automatically record every Pull Request merged as an event in Comply. These events are then processed by our automations and recorded as evidence that you can use in an audit. Read more about events and automations here and scroll down to see details on the events and automations provided for Bitbucket specifically.

Security

We use an OAuth application to ask for only the read-only access we need. You can review each permission we request during the install process.

Automations

AutomationDescriptionReturnsFramework Mappings
Code Repo Pull Request ApprovalEnsures that pull (merge) requests are reviewed by someone other than the author prior to merge.Comply creates an issue if a pull (merge) request was either not approved or approved by the author.ISO: A.12.1.2, A.12.1.4, A.14.2.2

SOC 2: CC3.4, CC7.1, CC8.1
Code Repo Pull Request CIEnsures code tests using continuous integration ("CI") were run and were passing prior to merge.Comply creates an issue if CI failed prior to merge.SOC 2: CC8.1

Events

Bitbucket provides Pull Request Merged events. We automatically tag each one based on the review and CI status of the Pull Request.

Review Tags:

  • Approved - The Pull Request was approved before merging.
  • Approved by Author - The Pull Request was approved only by its author.
  • Not Approved - The Pull Request was not approved before merging.

CI Tags:

  • CI Success - Bitbucket pipeline checks passed before merging.
  • CI Failure - Bitbucket pipeline checks did not pass before merging.

Setup

  1. Navigate to the Automations > Integrations Configuration section in Comply
  2. Click 'Add Integration', and select Bitbucket.
  3. Ensure you’re logged in to an Owner account on the desired Bitbucket workspace.
  4. Click Authorize.

Automatic Evidence Setup
Once you've created your integration, you will need to configure a webhook for each target repository before automated evidence of merge requests will be catalogued into Comply.

  1. Navigate to the respository that you want to enable, go to "Repositoy Settings > Webhooks" and click on "Add Webhook".

  2. Fill in the URL with https://comply-api.aptible.com/webhooks/bitbucket/callback.
    Under triggers, select "Choose from a full list of triggers" and check box next to "Pull Request > Merged".
    Click "Save".

Troubleshooting

The most common problems when setting up the integration are:

  • Installed on the incorrect Bitbucket workspace.
  • Not adding webhooks to each repository that you want to receive events for.

If you receive an error message when trying to sync your integration, please check the above items and contact [email protected] if the problem persists.

Updated about 2 years ago