Skip to content

Bitbucket Secret Scan

This guide explains integrating AccuKnox Secret Scanning into your Bitbucket CI/CD Pipeline. The integration enhances code security by detecting hard-coded secrets and sensitive information in your repositories. It then uploads the results to the AccuKnox SaaS platform for further analysis and remediation.

Pre-requisites

To integrate AccuKnox Secret Scanning, ensure you have:

  • Access to Bitbucket Pipelines.

  • An active AccuKnox Platform account.

Steps for Integration

Step 1: Log in to AccuKnox

  1. Log in to the AccuKnox SaaS platform.

  2. Navigate to Settings > Tokens and generate a token to enable scan result uploads. For details on generating tokens, refer to How to Create Tokens.

Step 2: Configure CI/CD Variables

  1. Go to your Bitbucket repository settings.

  2. Add the following variables, for details on configuring variables, refer to How to Create CI/CD Variables in Bitbucket.

    • ACCUKNOX_TOKEN: Your AccuKnox API token.

    • ACCUKNOX_TENANT: Your AccuKnox tenant ID.

    • ACCUKNOX_ENDPOINT: Your AccuKnox API endpoint.

    • ACCUKNOX_LABEL: Label for scan results.

Step 3: Update the bitbucket-pipelines.yml File

Add the following secret scanning configuration to your pipeline:

pipelines:
  branches:
    secret-with-pipe:
      - step:
          name: AccuKnox Secret Scan
          script:
            - pipe: accu-knox/scan:1.0.1
              variables:
                SCAN_TYPE: SECRET
                INPUT_SOFT_FAIL: "true"
                ACCUKNOX_TOKEN: ${ACCUKNOX_TOKEN}
                ACCUKNOX_TENANT: ${ACCUKNOX_TENANT}
                ACCUKNOX_ENDPOINT: ${ACCUKNOX_ENDPOINT}
                ACCUKNOX_LABEL: ${ACCUKNOX_LABEL}

Step 4: Commit and Push Changes

  • Commit the updated bitbucket-pipelines.yml file to your repository.

  • Push the changes to trigger the pipeline.

Initial CI/CD Pipeline Without AccuKnox Secret Scan

Before integrating AccuKnox Secret Scanning, your pipeline might lack any security checks for detecting hardcoded secrets, potentially exposing sensitive information.

CI/CD Pipeline After AccuKnox Secret Scan Integration

Once the AccuKnox Secret Scanning is integrated into the CI/CD pipeline, every push triggers a secret scan. This scan detects hardcoded secrets and sensitive information in the code, ensuring immediate identification and remediation. The findings are then sent to the AccuKnox platform. Only the findings details are sent to the AccuKnox platform, not the secrets themselves.

image-20250123-032404.png

View Results in AccuKnox SaaS

Step 1: Navigate to the Dashboard

Go to Issues > Findings and select Secret Scan Findings.

image-20250123-032606.png

Step 2: Review Detected Secrets

Examine the list of identified hardcoded secrets an d sensitive information.

image-20250123-032743.png

Step 3: Resolve Findings

Create a ticket in your issue-tracking system for each finding, recommending rotating the exposed secret and using a secure secret management solution for handling secrets. Once the issue is resolved, mark it as fixed in the AccuKnox platform.

image-20250123-052839.png

Conclusion

Integrating AccuKnox Secret Scanning into your Bitbucket pipeline provides an essential layer of security, identifying and mitigating risks early in the development lifecycle. This proactive approach ensures that sensitive information is safeguarded, contributing to a more secure codebase.