This article shows you how to track Bitbucket repositories using the Tidelift Subscription. We first create a Project in Tidelift and generate an API token. We next connect Bitbucket Pipelines to the Tidelift Subscription subscriber API as a build step. Finally, we set appropriate variables in Bitbucket to keep private token information secure.
To get started, you will need:
- A Tidelift Subscription account (Start your free trial)
- An Atlassian account with a corresponding Bitbucket instance
1. Create a Project in Tidelift and generate an API token
After logging into the Tidelift Subscription dashboard, select Projects and select Track New Project. Enter your project name as it appears in Bitbucket when prompted. Select the Catalog to use or leave the default Organization Catalog.
Close the Upload manifest files dialog to skip manually uploading manifests
Select the Projects actions and settings gear on the left navigation, select Get Project Key then select Create Project Key.
Select Create API Key next to your project
Copy the CI/CD usage API_KEY and note the Organization-name/project-name
In the above example:
- Organization-name = "Katz Education"
- project-name = my-bitbucket-project
2. Connect Bitbucket Pipelines to the Tidelift Subscription subscriber API
Tidelift leverages the Bitbucket Pipelines feature to call the Tidelift Subscription service during your build process as a build step. To incorporate Tidelift into your build process:
Copy the Tidelift Subscription integration script for Bitbucket into the root of your project folder
As with ANY script, please take a moment to review the integration script
Create a bitbucket-pipelines.yml file in your repository’s root directory if it does not already exist
Include a step in your bitbuckets-pipeline.yml named tidelift-scan to call the Tidelift Subscription integration script. The script requires the curl and jq packages. An example step is documented here: Example Bitbucket Pipeline
Be sure to set the TL_TEAM environment variable to "team/<your-organization-name>" and TL_Project with your Tidelift Project name. Additionally, specify the manifest files for your project that you want to analyze. In the above example, line 11 specifies the project's Gemfile and Gemfile.lock.
3. Set private variables in Bitbucket for token information
From your Bitbucket repository, Select Settings > Repository variables (under Pipelines)
Create a new variable called TL_TOKEN and paste in the Token value you generated at the end of step 1.Select the Secured check-mark to keep this token secure.
🙌 Woo hoo! 🙌 You have successfully configured Bitbucket to work with the Tidelift Subscription
Reviewing your scan results in Bitbucket
After the tidelift-scan step of your Pipeline executes, you will see when your builds fail or succeed. The fail or pass is determined by your Tidelift open source policy. You can see the default policy and learn how to configure this policy to meet the needs of your organization.
In the above example, John ran a build where he inadvertently added a dependency with a security vulnerability. Tidelift automatically failed the build, preventing the vulnerability from reaching production. After removing the affected dependency, his build succeeded.