Skip to main content

Snyk provides native integration for Atlassian Bitbucket Cloud security

Written by:

Sarah Conway

wordpress-sync/blog-banner-atlassian-snyk

June 15, 2021

0 mins read

We’re excited to share that we have enhanced our partnership with Atlassian. In support of this partnership, today we are releasing full availability of the new integration, which natively embeds Snyk into Bitbucket Cloud for security.

The Snyk security integration is free and easy to set up with just a few clicks inside the Bitbucket Cloud product. For the first time, developers can consume information that was previously only available inside Snyk now within Bitbucket Cloud. Snyk enables developers to see new vulnerabilities as they emerge and implement fixes early and quickly in the process.

Bringing developer-first security to Bitbucket Cloud users

As Bitbucket Cloud users increasingly use open source components and containers, they often introduce risk through open source dependencies that contain vulnerabilities and license issues. Today, around 90% of applications contain open source packages and 70% of these have at least one security flaw. Simply shifting left is not enough to manage and mitigate this risk.  

To secure cloud native applications effectively, it is crucial to shift the ownership of these application components, traditionally part of IT security, into the application security model. To achieve DevSecOps success, developers need a solution that helps them secure as they build, providing immediate insights into each open source component. This is the power of Snyk’s native integration with Bitbucket.

Find, fix and monitor vulnerabilities without leaving Bitbucket

The native Snyk integration into Bitbucket Cloud automates security to build, test, and release secure software faster and more reliably. By aligning the two solutions, Snyk empowers developers to design software with security in mind, rather than as an afterthought. 

This integration is embedded through a new Security tab inside Bitbucket. Open an existing repository or create a new one, and on the left side menu you’ll see the Security tab. From here developers can see any risks that exist in your dependency code base and container images, so you can resolve them before they reach production or your security team. Additionally, security analysts on your team get visibility into existing vulnerabilities and open source license issues, so they can better prioritize issues for resolution.

wordpress-sync/blog-bitbucket-security-tab

Developers now have a more integrated, accessible security experience directly within Bitbucket. The new integration provides:

  • Repo scanning during coding, allowing development teams to prioritize fixes during development (vs. waiting for security to flag urgent issues after shipping to production)

  • Automated pull requests within Bitbucket Cloud to fix vulnerabilities using security analysis for pull requests within Code Insights

  • Security embedded into continuous integration/continuous delivery (CI/CD) workflows via Bitbucket Pipes.

Proactive repo scanning enabled by the Security tab

Once installed in Bitbucket Cloud, the integrated Security tab becomes home to a dedicated dashboard that provides visibility into your repository’s security. Snyk scans package dependencies and Docker files, giving teams one centralized place to see all of their codebase vulnerabilities.

Within this dashboard, teams can see security insights and the total number of vulnerabilities in these repositories, grouped by a risk score of low, medium, and high. This Snyk score, which is weighted by maturity and severity, helps teams prioritize what to work on and is paired with contextual information, such as CVSS score, exploit availability and how long an exploit has been in the wild, and availability of a fix, to help you prioritize what to fix first. 

With repository scanning in the Security tab, teams can prioritize fixes during development, making security proactive instead of reactive.

wordpress-sync/blog-bitbucket-security-prioritization-1

Gain early security insight into pull requests

Snyk has also integrated into Bitbucket’s Code Insights capabilities. This allows Bitbucket Cloud users to view code quality and security issues throughout the development lifecycle. Scan on pull requests help you analyze changes to your code and gain detailed reports to show a summary of the analysis, together with annotations that help you identify and address issues more efficiently.

Snyk’s integration with Code Insights allows you to view the results of Snyk’s security scanning as part of your natural development flow. As soon as new pull requests are opened, Snyk scans them for new vulnerabilities and license issues and shows detailed annotations next to each change that introduces a new issue. This allows developers to take fast, effective, and data-informed remediation steps, all from within the Bitbucket user interface. 

Full security visibility into Bitbucket Cloud pipelines

Bitbucket Pipes allows users to customize and automate their Bitbucket CI/CD pipelines using ready-to-use tasks or “pipes.” Snyk Pipe allows Bitbucket users to add automated security testing into their CI/CD pipelines as well.

By adding just a few configuration lines into their bitbucket-pipelines.yml, developers are able to scan and monitor their dependencies for vulnerabilities automatically as part of their CI/CD workflow. If vulnerabilities are found, the Snyk Pipe gates the process according to the configuration set by the user.

Securing the CI/CD workflow

With this latest integration, the 15+ million developers are now empowered to continue to develop fast while staying secure within the Bitbucket Cloud product. And while you're securing Bitbucket Cloud with Snyk, we'd encourage you to review a list of Bitbucket security best practices.

For more information on Snyk’s various integrations for Atlassian, check out the following resources:

wordpress-sync/blog-banner-atlassian-snyk

How CISOs are Transforming their DevSecOps Strategies

500 devs to 1 security professional is the reality of today. The security pro’s role must transform into an aware, knowledgeable, supportive partner capable of empowering developers to make security decisions.