Snyk Bitbucket Data Center/Server integration
Feature availability This feature is available with Enterprise plans. See pricing plans for more details.
The Snyk Bitbucket Data Center/Server integration allows you to continuously perform security scanning across all the integrated repositories, detect vulnerabilities in your open-source components, and use automated fixing. This integration supports Bitbucket Data Center/Server versions 4.0 and above.
For a quick reference, see the Snyk and Bitbucket best practices cheat sheet on the Snyk blog.
How to set up a Bitbucket DC/Server Integration
To give Snyk access to your Bitbucket DC/Server account, set up a dedicated service account in Bitbucket DC/Server with admin permissions. Visit Bitbucket Server documentation to learn more about creating users. Ensure the newly-created user has Admin permissions to all the repositories you need to monitor with Snyk.
In Snyk, navigate to the Integrations page and click on the Bitbucket Server card.
Enter your Bitbucket DC/Server URL and the username and password for the service account you created. Alternatively, you can create a personal access token and use it instead of a password.
Save your changes. Snyk connects to your Bitbucket DC/Server instance. When the connection succeeds, a confirmation message appears on your integrations screen.
How to import Bitbucket Server repositories
To select the repositories for Snyk to monitor:
Click Add your Bitbucket Server repositories to Snyk to start importing repositories to Snyk.
When prompted, select the repositories to import to Snyk and click Add selected repositories.
After they are added, Snyk scans the selected repositories for dependency files in the entire directory tree, (that is, package.json, pom.xml, and so on) and imports them to Snyk as projects.
The imported projects appear on your Snyk Projects page and are continuously checked for vulnerabilities.
Bitbucket DC/Server Integration Features
After the integration is in place, you can use capabilities such as:
Project-level security reports
Snyk produces advanced security reports that let you explore the vulnerabilities found in your repositories and fix them immediately by opening a fix pull request directly to your repository with the required upgrades or patches.
The example that follows shows a Project-level security report.
Project monitoring and automatic fix pull requests
Snyk scans your Projects on either a daily or a weekly basis. When new vulnerabilities are found, Snyk notifies you by email and by opening automated Snyk pull requests with fixes for your repositories.
The example that follows shows a fix pull request opened by Snyk.
To review and adjust the automatic fix pull request settings:
In Snyk, navigate to Organization settings > Integrations > Source control > Bitbucket Server, and click Edit Settings.
Scroll to the Automatic fix PRs section and configure the relevant options.
Snyk pull requests are automatically assigned to the default reviewer set in your Bitbucket Server/Data Center account.
Unlike manual pull requests opened from the Bitbucket interface, for the Snyk Bitbucket Cloud integration, Snyk pull requests are not automatically assigned to the default reviewer set in your Bitbucket Cloud account.
For more information, see Automated pull request creation for new fixes.
Pull request tests
Snyk Code PR Checks are only available for Bitbucket DC/Server versions 7.0 and above
Snyk tests any newly created pull request in your repositories for security vulnerabilities and sends a build check to Bitbucket DC/Server. You can see directly from Bitbucket DC/Server whether or not the pull request introduces new security issues.
The example that follows shows a Snyk pull request build check on the Bitbucket DC/Server Pull Request page.
To review and adjust the pull request tests settings:
In Snyk, navigate to Organization settings > Integrations > Source control > Bitbucket Server and click Edit Settings.
Scroll to Default Snyk test for pull requests > Open Source Security & Licenses, and configure the relevant options.
Required permissions scope for the Bitbucket DC/Server integration
Snyk performs all the Bitbucket DC/Server operations on behalf of the integrated service account.
For Snyk to perform the required operations on monitored repositories, such as reading manifest files on a frequent basis and opening fix or upgrade PRs, the integrated Bitbucket DC/Server service account needs Admin permissions on the imported repositories.
Admin permissions are also needed to set secure webhooks. Snyk relies on webhooks to perform a variety of tasks, from PR checks, to commit tests upon merge events, and upcoming auto imports. To ensure the events come from your system and your system only, with no tampering or spoofing, we secure the webhooks using the recommended method shared by the systems we are connecting to. For Bitbucket Server, please see this link. To do this, a secret token is generated for each secure webhook we create. Snyk setting the webhooks resolves scalability constraints, eliminates token leakage, and reduces the integration workload for you.
Action | Purpose | Required permissions on the repository |
Daily / weekly tests | Used to read manifest files in private repositories. | Write or above |
Snyk tests on pull requests | Used to send pull request status checks when a new PR is created or an existing PR is updated. | Write or above |
Opening fix and upgrade pull requests | Used to create fix PRs in monitored repositories. | Write or above |
Snyk tests on pull requests - initial configuration | Used to add SCM webhooks to the imported repos. Snyk uses these webhooks to:
| Admin |
How to disconnect the Bitbucket Data Center/Server integration
When you disconnect Snyk from your Bitbucket repository projects, your credentials are removed from Snyk, and any integration-specific projects that Snyk is monitoring are deactivated in Snyk. To re-enable this integration later, you must re-enter your credentials and activate your Projects.
To disable this integration, in Organization settings > Integrations, follow these steps:
In your list of integrations, select the Bitbucket integration you want to deactivate and click Edit settings to open a page with the current status of your integration. The page includes sections specific to each integration, where you can manage your credentials, API key, Service Principal, or connection details.
Scroll to the relevant section and click Remove Bitbucket Server.
Migration from Bitbucket Server to Bitbucket Data Center
Usually, migrating from Bitbucket Server to Bitbucket Data Center requires no further action. The Snyk integration should keep working as Bitbucket Server and Bitbucket Data Center APIs are identical.
Action is required only when the new Bitbucket Data Center instance URL differs from the Bitbucket Server instance URL. In this case, you must reconnect the integration from the Bitbucket Server-Bitbucket Data Center integration page in Snyk.io. To reconnect, follow the steps in How to set up a Bitbucket DC/Server Integration.
Last updated
