Set up webhooks to allow triggering events from Bitbucket to Jenkins
Webhooks are required to connect your Bitbucket source code manager (SCM) to Jenkins.
PREREQUISITESYou must install the Bitbucket Push and Pull Request plugin on your Jenkins server. This method requires that your Jenkins instance be compatible with this plugin.
1
Log in to Bitbucket, and go to your repository.
2
In your Bitbucket repository, go to Repository Settings > Webhooks > Add webhook.
3
Enter a Title for your webhook.
4
Enter the URL for your Jenkins instance using the following pattern: https://<YOUR_JENKINS_SERVER>/bitbucket-hook/.
5
Add the following Triggers:
i. In the Repository list, select Push.
ii. In the Pull request list, select Created and Updated.
From the Jenkins Dashboard click on create a New Item.
3
Enter a project name, select Pipeline option, and click OK.
4
In the General > Triggers section, select Build with BitBucket Push and Pull Request Plugin.
5
Create the Triggers:
i. Click Add.
ii. Select one of the following: Bitbucket Cloud Pull Request, Bitbucket Server Pull Request, or Push.
iii. In Select an Action, select Created.
iv. Click Add again, and select the same trigger as before: Bitbucket Cloud Pull Request, Bitbucket Server Pull Request, or Push.
v. In Select an Action, select Updated.
6
Go to the Pipeline section. In Definition, select Pipeline script from SCM.
i. In SCM, select Git.
ii. In Repositories > Repository URL, enter your Bitbucket repository URL.
iii. In Branch Specifier (blank for ‘any’), enter the name of your main branch.
iv. In Script Path, enter Jenkinsfile.
Create the Jenkinsfile in your Bitbucket repository. The file must define the logic to start:
Diff-aware scans if the scan is started in the context of a pull request
Full scans if you push changes to the main branch
The following code snippets are sample Jenkinsfiles that define both of these actions. Choose the file for your deployment based on whether you’re using Bitbucket Cloud or Bitbucket Data Center.
Bitbucket Cloud
Bitbucket Data Center
pipeline { agent any environment { SEMGREP_APP_TOKEN = credentials('SEMGREP_APP_TOKEN') SEMGREP_BASELINE_REF = "origin/main" } stages { stage('Semgrep-Scan') { steps { script { if (env.BITBUCKET_PULL_REQUEST_ID) { echo "Semgrep diff scan" sh '''git checkout ${BITBUCKET_PULL_REQUEST_LATEST_COMMIT_FROM_SOURCE_BRANCH}''' sh '''git fetch origin +ref/heads/*:refs/remotes/origin/*''' sh '''docker run \ -e SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN \ -e SEMGREP_PR_ID=${BITBUCKET_PULL_REQUEST_ID} \ -e SEMGREP_BASELINE_REF=$SEMGREP_BASELINE_REF \ -v "$(pwd):$(pwd)" --workdir $(pwd) \ semgrep/semgrep semgrep ci''' } else { echo "Semgrep full scan" sh '''docker run \ -e SEMGREP_APP_TOKEN=$SEMGREP_APP_TOKEN \ -v "$(pwd):$(pwd)" --workdir $(pwd) \ semgrep/semgrep semgrep ci''' } } } } }}
The variable SEMGREP_BASELINE_REF in the code snippet must be set to the primary or default branch, which in the example is origin/main.
pipeline { agent any environment { // The following variable is required for a Semgrep AppSec Platform-connected scan: SEMGREP_APP_TOKEN = credentials('SEMGREP_APP_TOKEN') BITBUCKET_TOKEN = credentials('FS_BITBUCKET_TOKEN') // Uncomment the following line to scan changed // files in PRs or MRs (diff-aware scanning): // SEMGREP_BASELINE_REF = "${env.CHANGE_ID != null ? 'main' : ''}" // Troubleshooting: // Uncomment the following lines if Semgrep AppSec Platform > Findings Page does not create links // to the code that generated a finding or if you are not receiving PR or MR comments. // SEMGREP_JOB_URL = "${BUILD_URL}" // SEMGREP_COMMIT = "${GIT_COMMIT}" // SEMGREP_BRANCH = "${GIT_BRANCH}" // SEMGREP_REPO_NAME = env.GIT_URL.replaceFirst(/^https:\/\/YOUR_BITBUCKET_DATA_CENTER_URL\/scm\/(.*).git$/, '$1') // SEMGREP_REPO_URL = env.GIT_URL.replaceFirst(/^(https:\/\/.*?)\/scm\/(.*)\/(.*)\.git$/, '$1/projects/$2/repos/$3') // SEMGREP_PR_ID = "${env.CHANGE_ID != null ? env.CHANGE_ID : ''}" SEMGREP_APP_URL = "https://semgrep.dev" } stages { stage('Semgrep-Scan') { steps { sh 'pipx install semgrep' sh 'semgrep ci' } } }}
To set up a Freestyle project to scan your Bitbucket projects with Semgrep:
Type a project name, select Freestyle project, and click OK.
5
Go to General > Source Code Management. Select Git. Then:
i. Add your Bitbucket Repository URL
ii. Add the Credentials needed to check out your sources
iii. Add the Branches to build
6
In the Triggers section, select Build with Bitbucket Push and Pull Request Plugin. Then, create the Triggers:
i. Click Add.
ii. Select one of the following: Bitbucket Cloud Pull Request or Bitbucket Server Pull Request.
iii. In Select an Action, select Created.
iv. Click Add again, and select the same trigger as before: Bitbucket Cloud Pull Request or Bitbucket Server Pull Request.
v. In Select an Action, select Updated.
vi. Click Add > Push.
7
Next, add your Semgrep token to the environment:
i. In the Environment section, select Use secret text(s) or file(s).
ii. Under Bindings, select Secret text.
iii. Set Variable to SEMGREP_APP_TOKEN.
iv. Under Credentials > Specific credentials, choose the defined credential for the token.
v. Click Add to save your changes.
8
In the Build Steps section, click Add build step > Execute shell. In Command, provide one of the following scripts to run Semgrep:
To ensure that Semgrep scans correctly in your Jenkins pipeline or project:
Commit a change to your repository, and create a pull request. This automatically runs a Semgrep diff-aware scan in Jenkins. Note that the job can fail if there are blocking findings as a result of the scan.
Merge the pull request to commit the changes to main. This triggers a full scan in Jenkins.
