This post was written by Sarah Conway from Snyk, our marketplace partner. Find and fix security vulnerabilities faster with the Bitbucket-Snyk integration.
There are several ways you can enhance security throughout your Bitbucket workflow, without complicating it or slowing it down. From scans on Pull Requests, gating builds in CI/CD, continuous monitoring and alerting, and the coveted automated Fix Pull Requests.
This post outlines how to fit Snyk security into your Bitbucket development processes, so you save time and boost response time when managing vulnerabilities to increase your productivity.
The Snyk-Bitbucket integration makes adapting security testing to your Bitbucket workflows seamless and easy. With a focus on developers, Snyk helps you to import, test, fix and monitor your Bitbucket Cloud projects for open source and container image vulnerabilities and license compliance issues.
A closer look at vulnerabilities
Continuous monitoring and alerting
Ongoing monitoring for projects you import is another major productivity boost. You might be using a library that is stable one day, and the next a zero day vulnerability might be disclosed against it. Snyk will alert you of the new vulnerabilities via Slack, email or Jira, so you don't have to keep track of every dependency's release notes. More interestingly, when a fix becomes available to these new vulnerabilities, Snyk will send a Pull Request, which includes the fix to all of your impacted repositories. Knowing which repositories are vulnerable and submitting the fix for the developers to merge, means much less time triaging and reduces the organizational burden of security teams from chasing down the development teams.
Find and fix go hand-in-hand
Snyk not only delivers immediate insights into vulnerabilities in your open source dependencies and containers, but also makes it possible to automatically fix problems for you. With a click of a button, Snyk issues a pull request with the requisite changes to your dependencies to remove the vulnerabilities for both direct and transitive dependencies. There's no leg work involved in understanding what action is required in order to fix the vulnerabilities, and little security expertise is needed to fix vulnerabilities in your organization. With understaffed and overwhelmed security teams, when every developer is a potential fixer security at scale is achievable.
Preventing vulnerabilities in the first place
While you take the time to fix the existing vulnerabilities, Snyk also ensures you are not adding new vulnerabilities. By scanning code deltas in every pull request, Snyk can detect if the edits are adding vulnerabilities that weren't there before and prevent them from being merged. This feature can be activated immediately across all Bitbucket repositories, making it an integrated way for developers to communicate and automate your policy, compared to other industry practices such as "dependency whitelists."
Quickly see where vulnerable dependencies are being used
As Snyk connects to all your Bitbucket repositories, it builds a mapping of all the dependencies across your application portfolio, which allows security teams to see quickly where out-of-date vulnerable dependencies are being used, and even ask specific questions like "Where are we using a specific version of a specific package?".
Add automated security testing to your pipeline
Incorporating security into the pipeline gives you the option to set and enforce security policies automatically, the ability to scale security practices and to make measurable, incremental security improvements.
A dedicated Snyk pipe allows Bitbucket users to add automated security testing into their CI/CD pipelines from within the Bitbucket UI. If vulnerabilities are found, the Snyk pipe gates the process according to the configuration set by the user.
Check out this video that walks your through how to get started with Bitbucket Cloud and Snyk.
Signup for a free starter Snyk plan.