Bitbucket Pipelines Integration

Brakeman Pro Engine can easily be added to Bitbucket Pipelines to run scans on every push.

Credentials Setup

We recommending setting up the Brakeman Pro Engine username and password as environment variables. Not only is this good security practice, it also allows the credentials to be easily changed in the future if needed.

Bitbucket allows setting pipeline variables at either the account or repository level, depending on your needs. For most organizations, the account level will likely be most convenient so the credentials are shared across all projects.

Set env variables

There is also the option to mark the variables as “secure” so the values will not be shown after being set.

Set env variables to be secure

Pipeline Setup

Bitbucket Pipelines are configured by adding bitbucket-pipelines.yml file to the root directory of your code repository. Note that Bitbucket will walk you through the process if you are adding a new pipeline.

Example configuration, using environment variables set above:

image: ruby:2.4.0

    - step:
          - gem install brakeman-pro --source https://$BRAKEMAN_PRO_USER:$
          - brakeman-pro --exit-on-warn --quiet -f plain

Recommended Brakeman Pro options:

  • --exit-on-warn: This option is important because it will cause the build to fail if any warnings are found
  • --quiet: Removes extraneous output. If not using --quiet, --no-report-progress is recommended instead
  • --f plain: Generates the text-based report

Pipelines in Action

A code commit with Brakeman warnings will look like this in the pipeline:

Pipeline failure

Ignoring Warnings

It is common to need to ignore some warnings. Read how to ignore false positives.