Close
View this page in your language?
All languages
Choose your language

Articles

DevOps principles
Back
Overview
History of DevOps
Benefits of DevOps
DevOps culture
DevOps best practices
DevOps vs. Agile
DevOps engineer
YBIYRI: Challenges and Best Practices
How to do DevOps
How Atlassian does operational readiness
DevOps frameworks
Back
Overview
CALMS framework
Team topologies
Team structure
DevOps metrics
DORA metrics
Private cloud
Public cloud
Deployment automation
SRE vs DevOps
DevOps tools
Back
Overview
DevOps Toolchain: Key Considerations | Atlassian
DevOps monitoring
DevOps pipeline
DevSecOps tools
Test automation
CI/CD tools

Tutorials

Automation
Back
Overview
Rule on pullrequest merge
Rule to transition issues
Rules that automatically sync Statuspage
Rule on pullrequest approval
Testing
Back
Overview
Automated tests in Jira with Xray
Create and manage test cases with Xray and Jira
Create a Jira issue from an automated mabl test
Track your team’s progress in Jira and Zephyr
Security
Back
Overview
How Snyk and Bitbucket Cloud enable DevSecOps
Achieve DevSecOps with Bitbucket Pipelines and Snyk Pipe
Observability
Back
Overview
Jira and Sentry application monitoring
Jira Dynatrace integration tutorial
Jira Dynatrace issue tutorial
Integrate Jira and Datadog
Feature Flagging
Back
Overview
LaunchDarkly for Jira
Split and Jira
Continuous Delivery
Back
Overview
JFrog and Jira
Harness Jira Integration Tutorial
Enable GitLab deployments in Jira
Continuous Integration Tutorial
Continuous Delivery Tutorial
Continuous Deployment Tutorial
Tips for scripting tasks with Bitbucket Pipelines
Integration Testing Tutorial

Interactive Guides

Demo Atlassian Open DevOps
Back
Overview
Atlassian ImageLabeller
Jira integration with CI/CD
Setup the AWS SageMaker pre-trained model
Deploy ImageLabeller
Back
Overview
Deploy ImageLabeller with Bitbucket
Deploy ImageLabeller with GitHub
Deploy ImageLabeller with GitLab
Monitor ImageLabeller
Back
Overview
Monitor with Opsgenie
Deploy AWS CloudWatch alarms with Bitbucket
Deploy AWS CloudWatch alarms with GitHub
Deploy AWS CloudWatch alarms with GitLab
Third-party integrations
Back
Overview
Integrate Snyk into Atlassian Open DevOps
Using Launch Darkly feature flags with Bitbucket pipelines
Using Split feature flags with Bitbucket pipelines
Building with Atlassian APIs
Back
Overview
Integrating Concourse-CI and Open DevOps

Integrate Snyk into Atlassian Open DevOps

Warren Marusiak headshot
Warren Marusiak

Senior Technical Evangelist

To demonstrate how to develop, deploy, and manage applications using Jira Software and various connected tools, our team created ImageLabeller, a simple demo application built on AWS that uses machine learning to apply labels to images.

This page covers how to integrate Snyk with Bitbucket. Before you begin, we recommend reading the Introduction to ImageLabeller page for context.

Connecting Bitbucket and Snyk

There are a couple of ways to work with Snyk in Bitbucket. The first is to enable the native Snyk integration to Bitbucket via the Security tab on your repository screen. The second is to add a Snyk step to a bitbucket-pipelines.yml file. There is no downside to doing both. The Synk integration in Bitbucket provides quick access to vulnerability data to anyone looking at the repository in Bitbucket. You can then click through to the Snyk website for additional information on each vulnerability found. The Snyk step in a bitbucket-pipelines.yml file enables automatic scanning on every commit in a pipeline.

Adding the Snyk integration to Bitbucket

To add Snyk to a Bitbucket repository click on the Security tab, find the Snyk integration, then Try now.

Adding Snyk integration to Bitbucket image

Grant access, and click Connect Bitbucket with Snyk.

Connect Bitbucket to Snyk

Once the integration is setup, close the tab.

Successful integration guide

Click on the new Snyk option that appears in the left nav. Then click on the go.mod file to drill in to see more detailed information. The Golang repository uses go modules to manage dependencies in this example. For other kinds of repositories, there will be different dependency files.

Snyk screen

To learn more about how to fix each vulnerability, click visit Snyk to go to the Snyk website.

visit snyk

This view on the Snyk app is similar to the detail screen rendered in Bitbucket. This screen shows a list of vulnerabilities, along with additional information on each vulnerability.

Snyk website screentshot

Below is an example of a vulnerability report in Snyk. A hierarchy of where the vulnerability comes from is shown in the Detailed paths section. In the example below, you can see that SubmitImage inherits this vulnerability from the AWS Golang SDK. Snyk summarizes the status of all issues on the left. in this case, none of the issues are fixable. Notice there are five No fix available issues under Fixability. This means that there is no current mitigation available for these issues. Developers can monitor the integration, and apply fixes as soon as they are available.

Vulnerability Details screenshot

Add a Snyk step to bitbucket-pipelines.yml

In addition to accessing Snyk via the Bitbucket user interface, Snyk functionality can be accessed via Bitbucket pipelines by adding steps to bitbucket-pipelines.yml files. This means that vulnerability scanning will take place automatically on every commit and alert you of any security vulnerabilities.

Below are two bitbucket-pipelines.yml snippets for running Snyk tests as part of a pipeline.

Adding Snyk to Bitbucket pipelines for Golang

This example illustrates how to run snyk test for a Golang project using Go modules for dependency management.

definitions:
  steps:
    -step: &runsnyktest
        name: run snyk test
        image: snyk/snyk:golang
        script:
          - snyk auth $SNYK_TOKEN
          - cd submitImage
          - go mod graph
          - snyk test
pipelines:
  default:
    - step: *runsnyktest

Adding Snyk to Bitbucket pipelines for Python

This example illustrates how to run snyk test for a Python project using Pip for dependency management.

definitions:
  steps:
    -step: &runsnyktest
        name: run snyk test
        image: snyk/snyk:python
        script:
          - snyk auth $SNYK_TOKEN
          - cd src
          - snyk test --skip-unresolved
          - cd ../tst
          - snyk test --skip-unresolved
pipelines:
  default:
    - step: *runsnyktest

Here is what this looks like when the runsnyktest step is run in a Bitbucket pipeline.

runsnyktest step in Bitbucket pipeline

In conclusion...

The practice of integrating security into your CI/CD pipeline is a core tenet of DevSecOps. DevSecOps advocates that security should be applied to each phase of the typical DevOps pipeline: plan, code, build, test, release, and deploy. By incorporating security into your workflow, it becomes an active, integrated part of the development process vs an afterthought. This means safer apps, fewer incidents, and happier customers.

Warren Marusiak
Warren Marusiak

Warren is a Canadian developer from Vancouver, BC with over 10 years of experience. He came to Atlassian from AWS in January of 2021.

Share this article
Next Topic
Using Launch Darkly feature flags with Bitbucket pipelines

Recommended reading

Bookmark these resources to learn about types of DevOps teams, or for ongoing updates about DevOps at Atlassian.

Devops illustration

DevOps community

Learn more
Devops illustration

DevOps learning path

Learn more
Map illustration

Get started for free

Learn more

Sign up for our DevOps newsletter

Thank you for signing up