Skip to main content

Add a Bitbucket repository to Semgrep Managed Scans

Add Bitbucket repositories to your Semgrep organization in bulk without adding or changing your existing CI workflows through Managed Scans.

Prerequisites and permissions

Semgrep Managed Scanning requires one of the following plans:

  • Bitbucket Cloud Premium
  • Bitbucket Data Center

Bitbucket Cloud

You must provide a Bitbucket workspace access token to Semgrep, which can be created by a user with the Product Admin role. Once you have Managed Scanning fully configured, you can update the token provided to Semgrep to one that's more restrictive. The scopes you must assign to the token include:

  • webhook (read and write)
  • repository (read and write)
  • pullrequest (read and write)
  • project (admin)
  • account (read)

See Pre-deployment checklist > Permissions for more information about the permissions used by Semgrep.

Bitbucket Data Center

You must provide a Bitbucket HTTP access token to Semgrep, which can be created by a user with the Product Admin role. This access token must be created with with PROJECT_ADMIN permissions.

See Pre-deployment checklist > Permissions for more information about the permissions used by Semgrep.

Enable Managed Scanning and scan your first repository

  1. In Semgrep AppSec Platform, click Projects.
  2. Click Scan new project > Semgrep Managed Scan.
  3. Click Manage Connections and then + Connect more.
  4. Select Bitbucket.
  5. In the Set up Managed Scans page that appears, provide the information needed by Semgrep to connect to your Bitbucket project:
    1. Select Bitbucket or Bitbucket Data Center.
    2. Provide your Access token.
    3. Provide the name of your Bitbucket workspace.
    4. For Bitbucket Data Center users only: provide the Bitbucket Data Center URL.
    5. Click Connect.
  6. Repeat the steps above for each additional Bitbucket workspace you'd like added to Semgrep.

You have finished setting up a Semgrep managed scan.

  • After enabling Managed Scans, Semgrep performs a full scan in batches on all the repositories.
  • Once a repository has been added to Semgrep AppSec Platform, it becomes a project. A project in Semgrep AppSec Platform includes all the findings, history, and scan metadata of that repository.
  • Projects scanned through Managed Scans are tagged with managed-scan.

Add additional Bitbucket projects

You can enable managed scanning for additional repositories after onboarding using the following steps:

  1. In Semgrep AppSec Platform, click Projects.
  2. Click Scan new project > Semgrep Managed Scan.
  3. In the Enable Managed Scans for repos page, select the repositories you want to add to Semgrep Managed Scans.
    1. Optional: If you don't see the repository you want to add, click Can't find your project? and follow the troubleshooting steps provided.
  4. Select the repositories you want to scan from the list.
  5. Click Enable Managed Scans. The Enable Managed Scans dialog appears. By default, Semgrep runs both full and diff-aware scans.
  6. Optional: Disable PR or MR diff-aware scans by turning off the Enable PR/MR scans toggle. Enable Managed Scans dialog
  7. Click Enable.

If the page doesn't display any repositories

  1. Ensure that you've connected your Bitbucket account by following the steps in Connect a source code manager and confirm the workspace access token is created with the required scopes listed above with the Product Admin role.
  2. In Semgrep AppSec Platform, click Projects.
  3. If the page doesn't display the repository you want to add, click Can't find your project? > Sync projects.
  4. If the page doesn't display any repositories, click Sync projects.
  5. Optional: Perform a hard refresh (Ctrl+F5 or Cmd+Shift+R).

Convert or migrate an existing Semgrep CI job

You can immediately add any existing project to Managed Scans.

  1. Follow the steps in Add a repository.
  2. Delete the bitbucket-pipelines.yml file in your Bitbucket repository if appropriate.

If you plan to continue running some scans in Bitbucket CI/CD Pipelines (for example, using Managed Scans to run weekly full scans but Bitbucket CI/CD Pipelines for diff-aware scans) you can leave the workflow file in place, and edit it to reflect your desired configuration.

tip

Semgrep preserves your findings, scans, and triage history.

Scan management and configuration

Manually run a full scan

  1. In Semgrep AppSec Platform, click Projects.
  2. Search for your repository's name.
  3. Click the gear icon to access the settings page for that repository.
  4. Click Run a new scan.

Disable diff-aware scans on PRs

  1. In Semgrep AppSec Platform, click Projects.
  2. Search for your repository's name.
  3. Click the window icon under Details to access the settings page for that repository.
  4. Click the toggle for diff-aware scans.

Delete a project

  1. In Semgrep AppSec Platform, click Projects.
  2. Search for your repository's name.
  3. Click the window icon under Details to access the settings page for that repository.
  4. Click the dropdown at the header and click Delete project.

Disable webhooks

Managed scanning of Bitbucket projects requires webhooks. The webhooks are enabled by default when you add Bitbucket as a source code manager when setting up Managed Scanning. You can disable webhooks at any time by following these steps:

  1. In Semgrep AppSec Platform, go to Settings > Source code managers.
  2. Find your Bitbucket connection, and click the toggle to disable Incoming webhooks.

Revoke Semgrep's access to your repositories

The following steps revoke the code access you previously granted Semgrep for all repositories you selected.

  1. In Semgrep AppSec Platform, click Settings > Source Code Managers.
  2. On the entry of the SCM you want to remove, click Remove app.
  3. Click Remove to confirm.

Turn off Managed Scans for specific repositories in Semgrep AppSec Platform

  1. Sign in to Semgrep AppSec Platform.
  2. Go to Projects and find the project you no longer want scanned with Semgrep Managed Scanning. Click the project's Details page > Settings tab.
  3. Toggle the switch for Managed diff scans to turn off scans of new pull and merge requests and Managed full scans to turn off full scans of the base branch. Semgrep AppSec Platform toggles to turn off managed scans of repositories

Appendices

Scan logs

Most recent scan

You can view logs for your most recent scan by clicking Projects > the project's latest scan time under Scan status.

Click the project's latest scan to view the log Figure. The Projects page. Click the project's latest scan (underlined) to view the log.

info

It can take a few minutes for your latest scan's logs to appear. However, if the logs do not update 15 minutes after the scan, there may be issues with the scan itself.

All scans

  1. Click the project's Details page > Scans tab.
  2. Click the scroll icon under Logs to view the log for the particular entry.

Scan statistics

Scan statistics, such as how many of your repositories are being scanned, the scan success rate, and so on, can be provided once a week upon request. Contact your Semgrep account manager to request scan statistics.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.