- Set up webhooks to connect Jenkins to Bitbucket.
- Configure the Jenkins project or pipeline to run Semgrep.
Set up webhooks to allow triggering events from Bitbucket to Jenkins
Webhooks are required to connect your Bitbucket source code manager (SCM) to Jenkins.PREREQUISITESYou must install the Bitbucket Push and Pull Request plugin on your Jenkins server. This method requires that your Jenkins instance be compatible with this plugin.
1
Log in to Bitbucket, and go to your repository.
2
In your Bitbucket repository, go to Repository Settings > Webhooks > Add webhook.
3
Enter a Title for your webhook.
4
Enter the URL for your Jenkins instance using the following pattern:
https://<YOUR_JENKINS_SERVER>/bitbucket-hook/.5
Add the following Triggers:
i. In the Repository list, select Push.
ii. In the Pull request list, select Created and Updated.
i. In the Repository list, select Push.
ii. In the Pull request list, select Created and Updated.
Configure Jenkins to run Semgrep
- Pipeline
- Freestyle
1
Sign in to Jenkins.
2
From the Jenkins Dashboard click on create a New Item.
3
Enter a project name, select Pipeline option, and click OK.
4
In the General > Triggers section, select Build with BitBucket Push and Pull Request Plugin.
5
Create the Triggers:
i. Click Add.
ii. Select one of the following: Bitbucket Cloud Pull Request, Bitbucket Server Pull Request, or Push.
iii. In Select an Action, select Created.
iv. Click Add again, and select the same trigger as before: Bitbucket Cloud Pull Request, Bitbucket Server Pull Request, or Push.
v. In Select an Action, select Updated.
i. Click Add.
ii. Select one of the following: Bitbucket Cloud Pull Request, Bitbucket Server Pull Request, or Push.
iii. In Select an Action, select Created.
iv. Click Add again, and select the same trigger as before: Bitbucket Cloud Pull Request, Bitbucket Server Pull Request, or Push.
v. In Select an Action, select Updated.
6
Go to the Pipeline section. In Definition, select Pipeline script from SCM.
i. In SCM, select Git.
ii. In Repositories > Repository URL, enter your Bitbucket repository URL.
iii. In Branch Specifier (blank for ‘any’), enter the name of your main branch.
iv. In Script Path, enter
i. In SCM, select Git.
ii. In Repositories > Repository URL, enter your Bitbucket repository URL.
iii. In Branch Specifier (blank for ‘any’), enter the name of your main branch.
iv. In Script Path, enter
Jenkinsfile.7
Click Save.
Create and add the Jenkinsfile to your repository
Create the Jenkinsfile in your Bitbucket repository. The file must define the logic to start:- Diff-aware scans if the scan is started in the context of a pull request
- Full scans if you push changes to the main branch
- Bitbucket Cloud
- Bitbucket Data Center
- You must define
SEMGREP_APP_TOKENin Jenkins. You can create the required token in Semgrep AppSec Platform. - The variable
SEMGREP_BASELINE_REFin the code snippet must be set to the primary or default branch, which in the example isorigin/main.
Test the implementation
To ensure that Semgrep scans correctly in your Jenkins pipeline or project:- Commit a change to your repository, and create a pull request. This automatically runs a Semgrep diff-aware scan in Jenkins. Note that the job can fail if there are blocking findings as a result of the scan.
- Merge the pull request to commit the changes to
main. This triggers a full scan in Jenkins.