While PR analysis within Code Insights and Snyk Pipes are available to use right now, we're rolling out a native Security tab in Bitbucket Cloud. This will be a gradual rollout through the month of May so watch out for it in the left nav. We look forward to your feedback.
Even small vulnerabilities can cost a team a lot. All too frequently we see news reports of organisations that mishandled their code & build level security, causing customer data to be exposed. The high publicity of these mistakes proves that security is now table-stakes in the DevOps world.
Today, teams need to be able implement a security-first mindset without slowing down their development velocity.
At Atlassian, we believe the best way to institute a security-first mindset is by making it a seamless part of your software development workflow. We're excited to announce today at Team'21 that we've partnered with Snyk, the leading app security vendor, to launch a deep security integration right within Bitbucket Cloud.
As a result of this partnership, many of Snyk’s security capabilities will be embedded directly into Bitbucket Cloud so teams can get real-time visibility into any security issues in their code and containers, identify vulnerability fixes early in development and monitor new risks post deployment. These new capabilities will roll-out over the next few weeks in May.
More than 2 million developers today already use Snyk to build securely and soon, you'll be able to anticipate potential vulnerabilities and remediate them rapidly right next to your development workflow, – no matter if they appear across your repos, PRs, or builds.
Announcing the security tab in Bitbucket Cloud, powered by Snyk
Today, around 90% of applications contain open source packages and 70% of these have at least one security flaw. Combine that with a 250% increase in open source vulnerabilities over the past 3 years, and it's clear that security is non-negotiable within the world of DevOps.
This integration with Snyk is centered around a new security tab inside Bitbucket where you'll be able to start your journey to see risks that exist in your dependency files code base and container images, so you can resolve them before they are escalated by your security team. For the security analysts on your team, they'll be able to get visibility into existing vulnerabilities and open-source license issues, so they can better prioritize what needs to get resolved.
Proactive repo scanning enabled by the Security tab
Say goodbye to your security team flagging urgent issues after shipping to production.
Once the Snyk integration is installed, the security tab becomes home to a dedicated dashboard that provides visibility into your repos's security. Snyk scans package dependencies and Docker files, giving teams one centralized place to see all of their codebase vulnerabilities.
Within this dashboard, teams can see security insights and the total number of vulnerabilities in these repositories, grouped by a risk score of low, medium, and high. This Snyk score, which is weighed by maturity and severity, helps teams prioritize what to work on and is paired with contextual information with advice on how to fix these risks.
With repository scanning in the security tab, teams can prioritize fixes during development, making security proactive instead of reactive.
Improve your code security with PR scanning inside of Code Insights
Snyk is also integrated into Bitbucket's Code Insights capabilities. As a refresher, Code Insights gives users reports, annotations, and metrics to help you and your team improve code quality in the review process.
As code is pushed to a PR, Snyk can scan it for new vulnerabilities and license issues, enabling teams to fix issues throughout the entire code review process.
Bring security testing to your CI/CD with the Snyk Pipe
This partnership is rooted in our shared belief that DevSecOps is the next evolution of DevOps.
Together, we've also brought security to another development best practice: CI/CD. The Snyk Pipe in Bitbucket Pipelines makes it simple to add automated security testing into your CI/CD pipelines as well.
By adding just a few configuration lines into your bitbucket-pipelines.yml, you can scan dependencies for vulnerabilities automatically.
And if vulnerabilities are found, the Snyk pipe gates the process. Learn more about the Snyk Pipe for Bitbucket Pipelines.
Get started today
As teams are increasingly pushed to think about security proactively (rather than reactively!), their tools will need to do the same. Together, Bitbucket Cloud and Snyk make it easy for security to be brought into every step of the development life cycle.
To summarise, with Snyk in Bitbucket Cloud you can:
1. Identify new vulnerabilities in your repo before the security team knocks on your door.
2. Find and fix vulnerabilities you're introducing with each PR.
3. Finally, scan your builds and identify redundancies with Bitbucket Pipelines