Snyk and Bitbucket best practices cheat sheet
As the partnership between Snyk and Atlassian continues to grow, we decided to put together a best practices cheat sheet to help you make the most of our integration with Bitbucket. This will help you use Bitbucket more securely to manage and store your code, as well as continuously monitor your code and dependencies for potential vulnerabilities using Snyk.
Here are the seven best practices we’ll discuss in this post:
- Never store credentials in code or configs on Bitbucket
- Remove sensitive data
- Tightly control access
- Add a SECURITY.md file
- Validate Bitbucket apps
- Get security tips as part of your workflow with code insights
- Add security testing to pull requests
1. Never store credentials in code or configs in Bitbucket
Storing passwords, API keys, or other credentials in publicly accessible code leaves your application and organization vulnerable. That’s why you need to implement measures to avoid pushing credentials into your Bitbucket repositories in the first place.
By breaking builds when necessary to prevent the code from being pushed to Bitbucket, the git-secrets-scan pipeline can block sensitive data from ever being published. This tool works by scanning your files for hardcoded data and flagging this via a security report.
You can also audit for slipped secrets using truffleHog, which scans through Git repositories — including the commit history and branches — to find secrets. A pre-commit hook can also prevent developers from pushing a certain set of secrets.
Finally, you can connect to a secrets manager like Hashicorp Vault using the Vault Secrets export pipeline, which automatically fetches secrets from the HashiCorp vault when needed instead of saving them to the repository.
2. Remove sensitive data
Similar to the last tip, it’s crucial to remove any sensitive data from your code stored in Bitbucket. You’ll want to invalidate any tokens or passwords that have already been published because they have potentially been stolen by unwanted third parties.
In addition, you should clear the Git history and force push the rewritten history. Once you’ve invalidated any secrets and cleared the Git history, you’ll want to assess the impact of any private information that may have leaked.
Adaptivist ScriptRunner can make these tasks easier by automating secrets management.
3. Tightly control access
Many security failures are due to human errors and incorrect decisions, so it’s important to implement strong access controls. With just a few simple configurations, you can mitigate the risk of unauthorized users accessing your code in BitBucket.
Strong access controls include:
- Requiring two-factor authentication for all Bitbucket accounts adds an extra layer of security by adding a second step.
- Never letting developers share accounts reinforces least-privilege and need-to-know policies as good security practices.
- Properly securing physical devices with access to source code protects your assets in the case of theft.
- Revoking Bitbucket access from users that no longer work for the company is vital for protecting your intellectual property.
4. Add a SECURITY.md file
Using a SECURITY.md file is a way to disclose important security-related information about your project to future contributors or maintainers. This file should include:
- Disclosure policy: The process for reporting security issues, including who to contact, where to reach them, and what information to provide.
- Security update policy: How the project will inform users about newly discovered vulnerabilities and their potential impact.
- Security-related configuration: The recommended settings project users should choose when using the code, such as HTTPS, an authorization layer, or protocols for resetting passwords.
- Known security gaps and future enhancements: These are security improvements that have not been addressed yet, indicating risk areas that project users will need to mitigate themselves.
5. Validate Bitbucket apps
Because Bitbucket apps are written by third parties, it’s important to validate that they’re safe to use. First, you should confirm that the access rights of the application will prevent unwanted users from accessing your code by only allowing the level of access necessary. This also includes removing or disabling apps that are no longer being used.
You’ll also want to verify the credibility of the app’s creator, whether it’s a single author or an entire organization. It’s important to remember that you’re only as secure as your weakest link, so it’s crucial to choose apps built by trustworthy developers.
Finally, you’ll want to evaluate the security posture of the Bitbucket app itself. If its security measures are inadequate, a breach can give attackers access to your code. By regularly auditing the apps you’re using, you can ensure they’re still necessary and secure.
6. Get security tips as part of your workflow with code insights
Snyk’s integration with Bitbucket can scan your pull requests to prevent you from introducing new vulnerabilities. Snyk provides detailed in-line annotations directly within the pull request that corresponds with the potential vulnerability, enabling developers to make immediate, informed decisions.
Besides dependency vulnerability information, Snyk provides suggested upgrades for remediation and other actionable tips to mitigate issues based on the Snyk Intel Vulnerability Database.
7. Add security testing to pull requests
Bitbucket hooks are a way to trigger code scans for each pull request to check code quality and security. For example, you can use webhooks to detect bugs and code smells with SonarCloud and you can automate code reviews using Code Climate.
Using Bitbucket hooks, Snyk can scan each pull request to discover vulnerabilities or license issues as part of your natural development workflow. This ensures development teams will get the security insights they need as early as possible.
Log in to Bitbucket
When you log in to Bitbucket, visit the security tab to install the free 30-day Snyk trial to see risks that exist in your dependency files, code base, and container images.