socket-python-cli/workflows/bitbucket-pipelines.yml at main · SocketDev/socket-python-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# Socket Security Bitbucket Pipelines
# This pipeline runs Socket Security scans on every commit to any branch
# The CLI automatically detects most information from the git repository

image: socketdev/cli:latest

definitions:
  steps:
    - step: &socket-scan
        name: Socket Security Scan
        script:
          # Run Socket CLI with minimal required parameters
          # The CLI automatically detects:
          # - Repository name from git
          # - Branch name from git
          # - Commit SHA from git
          # - Commit message from git
          # - Committer information from git
          # - Default branch status from git repository
          # - Changed files from git commit
          - |
            socketcli \
              --target-path $BITBUCKET_CLONE_DIR \
              --scm api \
              --pr-number ${BITBUCKET_PR_ID:-0}
        # Repository variables needed (set in Bitbucket repo settings)
        # SOCKET_SECURITY_API_KEY: Your Socket Security API token

pipelines:
  # Run on all branches
  branches:
    '**':
      - step: *socket-scan

  # Run on pull requests
  pull-requests:
    '**':
      - step: *socket-scan

# Optional: More efficient version that only runs when manifest files change
# To use this instead, replace the pipelines section above with:
#
# pipelines:
#   branches:
#     '**':
#       - step:
#           <<: *socket-scan
#           condition:
#             changesets:
#               includePaths:
#                 - "package.json"
#                 - "package-lock.json"
#                 - "yarn.lock"
#                 - "pnpm-lock.yaml"
#                 - "requirements.txt"
#                 - "Pipfile"
#                 - "Pipfile.lock"
#                 - "pyproject.toml"
#                 - "poetry.lock"
#                 - "go.mod"
#                 - "go.sum"
#                 - "Cargo.toml"
#                 - "Cargo.lock"
#                 - "composer.json"
#                 - "composer.lock"
#                 - "Gemfile"
#                 - "Gemfile.lock"
#                 - "**/*.csproj"
#                 - "**/*.fsproj"
#                 - "**/*.vbproj"
#                 - "packages.config"
#                 - "paket.dependencies"
#                 - "project.json"
#
#   pull-requests:
#     '**':
#       - step: *socket-scan

# Note: Bitbucket Pipelines doesn't have built-in SCM integration like
# GitHub Actions or GitLab CI, so we use --scm api mode which provides
# basic scanning without PR comment functionality.