Skip to main content

Set up Jenkins pipeline projects for Bitbucket repositories

Requirements

Ensure you have set up triggering events from Bitbucket to Jenkins.

Create a Jenkins pipeline project

  1. From the Jenkins Dashboard click on create a New Item.
  2. Type a project name and select the Pipeline option. Filled-out item name and Pipeline option
  3. In the General section, click the Build with Bitbucket Push and Pull Request Plugin. Alternatively, the plugin can also be called Bitbucket Cloud Pull Request or Bitbucket Server Pull Request.
  4. In Triggers > Select an Action select Created and Updated. Build triggers for the pipeline project
  5. In the Pipeline Section:
    1. In Repository URL, enter the Bitbucket repository URL.
    2. In Branch Specifier, enter your main or trunk branch (master in the screenshot).
    3. In Script Path, enter the path to your 'Jenkinsfile'. Pipeline section > Repository URL and Branch Specifier examples.Pipeline section > Script Path example
  6. Create the Jenkinsfile in the Bitbucket repository. It must define the logic to run Semgrep diff scans if it is a pull request or Semgrep full scans if it is a push to the main branch. It can look like this:
pipeline {
      agent any
      environment {
        SEMGREP_APP_TOKEN = credentials('SEMGREP_APP_TOKEN')
        SEMGREP_BASELINE_REF = "origin/master"
      }
      stages {
        stage('Semgrep-Scan') {
         steps {
          script {
            if (env.BITBUCKET_PULL_REQUEST_ID) {
              echo "Semgrep diff scan"
              sh '''git checkout ${BITBUCKET_PULL_REQUEST_LATEST_COMMIT_FROM_SOURCE_BRANCH}'''
              sh '''git fetch origin +ref/heads/*:refs/remotes/origin/*'''
              sh '''docker run \
                -e SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN \
                -e SEMGREP_PR_ID=${BITBUCKET_PULL_REQUEST_ID} \
                -e SEMGREP_BASELINE_REF=$SEMGREP_BASELINE_REF \
                -v "$(pwd):$(pwd)" --workdir $(pwd) \
                 semgrep/semgrep semgrep ci'''
              }
              else {
                 echo "Semgrep full scan"
                 sh '''docker run \
                   -e SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN \
                   -v "$(pwd):$(pwd)" --workdir $(pwd) \
                   semgrep/semgrep semgrep ci'''
               }
             }
           }
         }
      }
}
note
  • Ensure that you have defined a SEMGREP_APP_TOKEN as a credential in Jenkins.
  • The variable SEMGREP_BASELINE_REF must be set to the main branch, in the example: origin/master.

Test the new Jenkins pipeline project

  1. Commit a change in the repository and create a pull request. It automatically runs a Semgrep diff scan in Jenkins: Status view of a failed job run.Console or log view of a job. Note that the pull request can be marked as failed if there are blocking findings, as in the example.
  2. Merge the change to master. It will run a Semgrep full scan in Jenkins.