Set up Jenkins Freestyle projects for Bitbucket repositories
Requirements
Ensure you have set up triggering events from Bitbucket to Jenkins.
Create a Jenkins Freestyle project
- From the Jenkins Dashboard, click New Item.
- Type a project name and select Freestyle project. Click OK.
- On the General page, go to the Source Code Management section. Select Git. Add your Bitbucket Repository URL, select the Credentials needed to check out sources, and select the Branches to build.
- In the Build Triggers section, click Build with Bitbucket Push and Pull Request Plugin.
- In Triggers > Select an Action select Created, Updated, and Push.
- In the Build environment section, declare the
SEMGREP_APP_TOKENby selecting Use secret text or file. Set Variable toSEMGREP_APP_TOKENand Credentials > Specific credentials to the defined credential for the Semgrep token. Click Add to save your changes.
Ensure that you have defined SEMGREP_APP_TOKEN as a credential in Jenkins.
Run full scans
In the Build Steps section, add an Execute Shell step with the logic below:
#!/bin/bash
REPO_URL=$GIT_URL
REPO_NAME=$(echo "$GIT_URL" | awk -F'/' '{print $(NF-1)"/"$(NF)}' | sed 's/.git$//')
docker run \
-e SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN \
-e SEMGREP_REPO_URL=$REPO_URL \
-e SEMGREP_REPO_NAME=$REPO_NAME \
-v "$(pwd):$(pwd)" --workdir $(pwd) \
semgrep/semgrep semgrep ci
- The variable
SEMGREP_REPO_URLlinks the Semgrep project and findings with the Bitbucket repository. - The variable
SEMGREP_REPO_NAMEprovides an accurate and meaningful name to the Semgrep project.
After adding the script, a full scan runs when you push changes to the default branch.
Run scans on pull requests (diff-aware scans)
The diff-aware scan configuration must specify a merge base to compare the PR changes against. To achieve that, specify the pull request target branch as SEMGREP_BASELINE_REF, and set SEMGREP_BRANCH to the pull request source branch to ensure it's correctly identified. Set the SEMGREP_REPO_NAME as described above for full scans, and add SEMGREP_PR_ID so Semgrep can send comments to the related PR.
One possible way to modify the shell script to include diff-aware scans is:
#!/bin/bash
BASELINE_REF="main"
BASELINE_REF_ORIGIN="origin/$BASELINE_REF"
REPO_URL=$GIT_URL
REPO_NAME=$(echo "$GIT_URL" | awk -F'/' '{print $(NF-1)"/"$(NF)}' | sed 's/.git$//')
## Merge or push to primary branch
if [ $BITBUCKET_SOURCE_BRANCH = $BASELINE_REF ]; then
docker run -e SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN \
-e SEMGREP_REPO_URL=$REPO_URL \
-e SEMGREP_REPO_NAME=$REPO_NAME \
-v "$(pwd):$(pwd)" --workdir $(pwd) \
semgrep/semgrep semgrep ci
## pull request scans
elif [ $BITBUCKET_PULL_REQUEST_ID -ge 0 ]; then
git checkout $BITBUCKET_SOURCE_BRANCH && git pull
docker run -e SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN \
-e SEMGREP_BASELINE_REF=$BASELINE_REF_ORIGIN \
-e SEMGREP_REPO_URL=$REPO_URL \
-e SEMGREP_REPO_NAME=$REPO_NAME \
-e SEMGREP_BRANCH=$BITBUCKET_SOURCE_BRANCH \
-e SEMGREP_PR_ID=$BITBUCKET_PULL_REQUEST_ID \
-v "$(pwd):/src" \
semgrep/semgrep semgrep ci
fi
- The variable
SEMGREP_BASELINE_REFmust be set to the default branch, which, in the example, ismain.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.