Mobb can be integrated into any CI/CD platform of your choice. This guide will demonstrate the integration process with Bitbucket Pipeline.
Setting up environment variables
In your bitbucket environment, first go to your repository, followed by Repository Settings -> Repository Variables.
In this sample integration, we are using Snyk as our SAST tool, however, you may use any SAST report that Mobb supports. See system requirements for more details on the SAST tools Mobb support today.
SNYK_API_TOKEN - Snyk's API token. Click here to find out how to generate one.
MOBB_API_TOKEN - Mobb's API Token. Click here to find out how to generate one.
BITBUCKET_ACCESS_TOKEN - Your Bitbucket's Access Token. Click here to find out how to generate one. Ensure you have at least repository: write access.
Creating the Bitbucket Pipeline
The next step is to configure your Bitbucket Pipeline. To create a new pipeline, go to your repository and select Pipelines. Click Click Create your first pipeline to scroll down to the template section.
Click on Starter pipeline.
Insert the following YAML:
# Mobb/Snyk Fixer on pull requests in Bitbucket
# This pipeline defines the needed steps to run Snyk Code on every pull request and pass the results to Mobb Fixer.
#
# SNYK_API_TOKEN - your Snyk user credentials (find how to get it here: https://docs.snyk.io/getting-started/how-to-obtain-and-authenticate-with-your-snyk-api-token)
# MOBB_API_TOKEN - your Mobb user credentials (automatically set if you forked this repo via the Mobb app)
# BITBUCKET_ACCESS_TOKEN- your Bitbucket Access Token (Ensure you have write access for repository)
image: node:18
pipelines:
pull-requests:
'**':
- step:
name: Scan with Snyk and Fix with Mobb Auto-PR
caches:
- node
script:
- npx snyk auth $SNYK_API_TOKEN
- npx snyk code test --sarif-file-output=report.json || true
- pipe: atlassian/bitbucket-upload-file:0.7.3
variables:
FILENAME: 'report.json'
BITBUCKET_ACCESS_TOKEN: $BITBUCKET_ACCESS_TOKEN
artifacts:
- report.json
- step:
name: Run Mobb on the findings and get fixes
script:
- # Setting up the repoURL. Convert http to https
- repoURL=$BITBUCKET_GIT_HTTP_ORIGIN
- |
if [[ $BITBUCKET_GIT_HTTP_ORIGIN =~ ^http:// ]]; then
repoURL=${BITBUCKET_GIT_HTTP_ORIGIN/http:/https:}
fi
echo "repoURL: $repoURL"
- mobbLink=$(npx mobbdev@latest analyze -f report.json -r $repoURL --ref $BITBUCKET_BRANCH --api-key $MOBB_API_TOKEN --ci)
- echo "Mobblink:" $mobbLink
- # Output the Mobb Link as a Report in the Bitbucket Pipeline
- |
curl --request PUT "https://api.bitbucket.org/2.0/repositories/$BITBUCKET_WORKSPACE/$BITBUCKET_REPO_SLUG/commit/$BITBUCKET_COMMIT/reports/mobb-001" \
--header "Authorization: Bearer $BITBUCKET_ACCESS_TOKEN" \
--header 'Content-Type: application/json' \
--data-raw '{
"title": "Mobb Report",
"UUID": "73214fbb-5d24-4265-a311-50447c8a785d",
"details": "Click the link above to access the Mobb Link.",
"report_type": "SECURITY",
"reporter": "mobb",
"link": "'"$mobbLink"'",
"result": "PASSED",
"remote_link_enabled": true
}'
You are now fully configured to run Snyk on every pull request and provide the SAST report to Mobb to generate fixes.
Viewing the Mobb Report Link
The YAML is configured to publish the Mobb report link to the Report section of your pipeline. To view your Mobb report link, first go to Pipelines. Look for the Reports link as shown:
After the Report list opens, look for Mobb report on the left hand side, then click on the Mobb Report link.
This will effectively take you to the relevant Mobb report which you can proceed to commit the fixes back into your Bitbucket repository.
