This repo contains windows/linux docker image that uses python to download the SAClientUtil from HCL AppScan on Cloud and run static analysis against an application in Bitbucket pipelines. The script also will wait for the scan to complete and download a scan summary json file and a scan report. These files are all placed in a directory "reports" so they can be saved as artifacts of the pipeline. See the bitbucket-pipelines.yml example below. Most builds can happen on the linux image, but some projects, like .NET projects must be built on windows.
The pipe has 13 variables.
| Variable | Required | Description |
|---|---|---|
| API_KEY_ID | Required | The HCL AppScan on Cloud API Key ID |
| API_KEY_SECRET | Required | The HCL AppScan on Cloud API Key Secret |
| APP_ID | Required | The application Id of the app in AppScan on Cloud |
| TARGET_DIR | Required | The directory to be scanned. Place scan targets here. |
| CONFIG_FILE_PATH | Optional | Relative path from the repo root to an appscan config xml file. |
| SECRET_SCANNING | Optional | True or False. Enables or disables the secret scanning feature. |
| REPO | Optional | The Repository name. Only really used to make filenames and comments relevant. |
| BUILD_NUM | Optional | The Bitbucket build number. Used to make filenames and comments relevant. |
| SCAN_NAME | Optional | The name of the scan in AppScan on Cloud |
| DATACENTER | Optional | ASoC Datacenter to connect to: "NA" (default) or "EU", or an AppScan 360 url |
| DEBUG | Optional | If true, prints additional debug info to the log. |
| STATIC_ANALYSIS_ONLY | Optional | If true, only prepare for static analysis during IRX generation. |
| OPEN_SOURCE_ONLY | Optional | If true, only gather opensource information during IRX generation. |
**Note about specifying a config file. Providing a config file can override other settings like TARGET_DIR or SECRET_SCANNING
The following is the bitbucket-pipelines.yml file from my demo repository that makes use of this custom pipe.
image: gradle:6.6.0
pipelines:
default:
- step:
name: Build and Test
caches:
- gradle
script:
- cd "AltoroJ 3.1.1"
- gradle build
- ls -la build/libs
artifacts:
- AltoroJ 3.1.1/build/libs/altoromutual.war
after-script:
- pipe: atlassian/checkstyle-report:0.3.0
- step:
name: ASoC SAST Scan
script:
# Custom Pipe to run Static Analysis via HCL AppScan on Cloud
# View README: https://github.com/cwtravis/bitbucket-asoc-sast
- pipe: docker://cwtravis1/bitbucket_asoc_sast:test
variables:
# Required Variables
API_KEY_ID: $API_KEY_ID
API_KEY_SECRET: $API_KEY_SECRET
APP_ID: $APP_ID
TARGET_DIR: $BITBUCKET_CLONE_DIR/AltoroJ 3.1.1/build/libs
# Optional Variables
DATACENTER: "NA"
SECRET_SCANNING: "true"
CONFIG_FILE_PATH: "appscan-config.xml"
REPO: $BITBUCKET_REPO_FULL_NAME
BUILD_NUM: $BITBUCKET_BUILD_NUMBER
SCAN_NAME: "ASoC_SAST_BitBucket"
DEBUG: "true"
STATIC_ANALYSIS_ONLY: "false"
OPEN_SOURCE_ONLY: "false"
artifacts:
- reports/*Feel free to use my docker images just as shown in the example pipeline above. You can also use the following commands to build your own images and push to your dockerhub. Replace <YOUR_DOCKERHUB> with your dockerhub username.
Build and Push the Linux Image:
git clone https://github.com/cwtravis/bitbucket-asoc-sast.git
cd bitbucket-asoc-sast/linux
docker build -t asoc_sast_linux .
docker tag asoc_sast_linux <YOUR_DOCKERHUB>/bitbucket_asoc_sast:linux
docker push <YOUR_DOCKERHUB>/bitbucket_asoc_sast:linuxOnce your image is built, you can use them as in the example pipeline above.
...
- step:
name: ASoC SAST Scan
script:
- pipe: docker://<YOUR_DOCKERHUB>/bitbucket_asoc_sast:linux
variables:
# Required Variables
API_KEY_ID: $API_KEY_ID
API_KEY_SECRET: $API_KEY_SECRET
APP_ID: $ASOC_APP_ID
DATACENTER: "NA"
SECRET_SCANNING: "true"
CONFIG_FILE_PATH: "appscan-config.xml"
TARGET_DIR: $BITBUCKET_CLONE_DIR/AltoroJ 3.1.1/build/libs
# Optional Variables
REPO: $BITBUCKET_REPO_FULL_NAME
BUILD_NUM: $BITBUCKET_BUILD_NUMBER
SCAN_NAME: "HCL_ASoC_SAST"
DEBUG: "false"
artifacts:
- reports/*# Bitbucket pipeline for .NET project running on a Windows self-hosted runner
# Includes ASoC SAST scanning via Docker (Windows container mode)
pipelines:
default:
- step:
name: Build and Test (.NET on Windows)
runs-on:
- self.hosted
- windows # make sure your runner has this tag
script:
# Restore .NET dependencies
- dotnet restore
# Build project
- dotnet build --configuration Release
# Run tests (if applicable)
- dotnet test --no-build --verbosity normal --logger:"trx;LogFileName=TestResults.trx"
artifacts:
- bin/**
- obj/**
- TestResults/**
after-script:
- echo "✅ Build and tests completed successfully."
- step:
name: ASoC SAST Scan (Windows)
runs-on:
- self.hosted
- windows
script:
# Tell Docker CLI to use the Windows named pipe
- $env:DOCKER_HOST = "npipe:////./pipe/docker_engine"
# Confirm Docker connectivity
- docker version
# Get absolute path to the repo directory
- $localPath = (Resolve-Path "$env:BITBUCKET_CLONE_DIR").Path
- Write-Host "Resolved localPath = $localPath"
# Verify that the path actually exists
- |
if (-not (Test-Path $localPath)) {
Write-Host "Path not found: $localPath"
exit 1
} else {
Write-Host "Path exists: $localPath"
}
# Run the Windows-based ASoC SAST scan container
- docker run --rm `
-e API_KEY_ID=$env:API_KEY_ID `
-e API_KEY_SECRET=$env:API_KEY_SECRET `
-e APP_ID=$env:APP_ID `
-e TARGET_DIR="C:\src\bin" `
-e DATACENTER="NA" `
-e SECRET_SCANNING="true" `
-e CONFIG_FILE_PATH="C:\src\appscan-config.xml" `
-e REPO=$env:BITBUCKET_REPO_FULL_NAME `
-e BUILD_NUM=$env:BITBUCKET_BUILD_NUMBER `
-e SCAN_NAME="ASoC_SAST_BitBucket" `
-e DEBUG="true" `
-e STATIC_ANALYSIS_ONLY="false" `
-e OPEN_SOURCE_ONLY="false" `
-v "${localPath}:C:\src" `
vndpal/bitbucket_asoc_sast:windows17
artifacts:
- reports/*
This repository is fully customizable. You can modify the files to create your own custom implementation according to your specific needs.
-
Fork or Clone the Repository
git clone https://github.com/cwtravis/bitbucket-asoc-sast.git cd bitbucket-asoc-sast -
Modify Python Scripts
- Edit
linux/pipe/ASoC.pyorwindows/pipe/ASoC.pyto customize API interactions, error handling, or add new features - Edit
linux/pipe/RunSAST.pyorwindows/pipe/RunSAST.pyto modify scan execution logic, reporting, or workflow
- Edit
-
Update Docker Configuration
- Modify
linux/Dockerfileorwindows/Dockerfileto change base images or configure the environment - Update
requirements.txtif you add new Python packages
- Modify
-
Customize Pipeline Variables
- Edit
linux/pipe.ymlorwindows/pipe.ymlto add new variables or change pipe metadata - Adapt the docker run commands and environment variables in your
bitbucket-pipelines.ymlto fit your project's requirements
- Edit
-
Build and Push Your Custom Image
# For Linux cd linux docker build -t <YOUR_DOCKERHUB>/bitbucket_asoc_sast:custom . docker push <YOUR_DOCKERHUB>/bitbucket_asoc_sast:custom # For Windows cd windows docker build -t <YOUR_DOCKERHUB>/bitbucket_asoc_sast:windows-custom . docker push <YOUR_DOCKERHUB>/bitbucket_asoc_sast:windows-custom
-
Use Your Custom Image in Pipeline Update your
bitbucket-pipelines.ymlto reference your custom image:- pipe: docker://<YOUR_DOCKERHUB>/bitbucket_asoc_sast:custom
If you have any questions raise an issue in this repo.