Bitbucket Cloud Integration
Bitbucket Cloud integration with Flyingduck allows you to display an inventory of repositories within the organization and identify misconfigurations. It also lists out inventory of libraries, identify associated vulnerabilities, and detect hard-coded sensitive information in the code for each commit that is performed. Additionally, you can perform Static Application Security Testing (SAST), which scans for security vulnerabilities in the source code.
This is an overview of integrating Flyingduck with your Bitbucket repositories. To connect Bitbucket and receive detailed insights at every commit, follow the steps below:
Access the Integration
- Sign in to the Flyingduck portal as an administrator.
- Navigate to Administration → Integrations.
- Locate Bitbucket and click Integrate.
App Integration
Scan Configuration
Choose how you want Flyingduck to scan your Bitbucket repositories:
- Direct cloud access
- Self-hosted Runner
Select Cloud Mode if you want your code to be scanned directly in Flyingduck’s cloud platform.
In this mode, the repository code is accessed by Flyingduck to perform the scans, and the results are displayed securely in the Flyingduck dashboard.
With cloud mode you will get defualt PR scan feature. we will provide flyingduck's PR checks during the pull request. if we find any issues with the changes in your pr we fail the check and we provide the complete details of the issues. if any SCA found then we will show the cve's and the flyingduck recommended version for the entire package in order to fix all the vulnerabilities
Selecting Cloud Mode will take you to the PR Scan Configuration section. We provide the flexibility to choose whether to enable default PR scans or not. Based on your preference, select the appropriate option during setup.
If you enable PR scans for the entire organization, all integrated repositories will have PR scanning enabled by default. Otherwise, no repository will have PR scans enabled initially.
You can always modify the PR scan configuration later, even after integration. Additionally, it is possible to trigger PR scans only for specific repositories by selecting “Disable” during setup and configuring PR scan settings individually for each repository afterwards.
After selecting your preferred option, click Continue to proceed.
Integrate with Bitbucket
Integrate your Version Control System to manage and optimize issues efficiently. Before moving on to the next step in the Flyingduck make sure to login to the bitbucket website so that it will navigate to the bitbucket website and shows the available workspaces of that specific user. And need to have a work space in the bitbucket, move to workspace settings and make sure to enable the enable development mode in the installed apps section in the settings of bitbucket for all the required workspaces.
Enter your Bitbucket organization name exactly as it appears on bitbucket, then click Verify.
You will be redirected to Bitbucket. Click on grant access button on the bitbucket website to grant permission for Flyingduck app in selected workspace.
After granting the acces to the respective workspace flyingduck will intimate you that flyingduck will have only read access. Then click on Grant access button.
when you click on Grant access button, App will get installed. After successfully installing the app, a confirmation message saying "Workspace integrated successfully" will appear in the portal.
If the message does not appear, there may have been an issue during the integration process. Please contact our support team at support@flyingduck.io for assistance.
Branch Configuration
Branches configuration allows you to manage and customize monitored bitbucket branches for automated scanning.
You can configure branches into two main stages: Production and Release. Branches such as Release, Staging, or Testing can be included in the Release stage. All other branches will be considered feature branches by default.
This configuration allows you to prioritize important branches and gain better visibility into your development workflow. Flyingduck will scan the configured branches and track all unique issues found. With this setup, you can monitor how many issues are present at each stage and how many are resolved before reaching production.
You can configure continuous scanning for your repositories in two ways:
- Enable for all branches – scans all branches continuously.
- Scan for active branches – scans only the branches you specify.
Select the option that best fits your workflow, then click Continue. After saving, a confirmation message saying "Branches saved successfully" will appear.
Jira Integration (Optional)
Flyingduck can be integrated with Jira to streamline issue tracking by automatically creating and linking issues discovered during scans to your Jira project boards. This ensures efficient management and resolution of vulnerabilities.
Setup Steps:
- Enter your Jira domain (e.g.,
https://your-org.atlassian.net). - Enter the email ID associated with your Jira API token.
- Enter your Jira API token.
- Click Test Authentication to verify the connection, or Skip to configure it later.
Once successfully authenticated, Flyingduck will seamlessly link detected issues to your Jira boards, allowing you to monitor, prioritize, and resolve them directly within Jira.
CI/CD Workflow Integration (Optional)
Flyingduck can be integrated into your CI/CD pipelines to automatically scan code during pipeline execution. This ensures that security issues are detected early in the development process, preventing potential vulnerabilities from reaching production.
Setup Instructions:
- Add the Flyingduck scanner to your CI/CD configuration file.
- Configure the scanner to run before your build step.
- Optionally, set the scanner to fail the build if any security issues are detected.
Once configured, Flyingduck continuously monitors your code during pipeline execution, helping teams maintain secure and reliable development workflows.
Runner App Integration
Scan Configuration
Choose how you want Flyingduck to scan your GitHub repositories:
- Direct cloud access
- Self-hosted Runner
choose Runner Mode if you prefer to set up a dedicated VM and execute the scans within your own environment.
Runner mode gives you the flexibility to choose how Flyingduck scans your GitHub repositories. You can launch a VM on either a public cloud or on-premise infrastructure and configure it as a dedicated runner. This enables unlimited on-demand or scheduled scans or continuous automated scans, optimizes pipeline efficiency, and offers significant cost savings.
Select your preferred environment for runner deployment—AWS, Azure, or your own local VM.
Select VM Environment
Runner Mode: AWS Setup
To configure your self-hosted Flyingduck runner using AWS, follow these steps:
1. Retrieve Your API Key
Your runner requires an API key for configuration.
- Copy the displayed API key from the "Your API Key" section.
- Use the copy button for convenience.
2. Launch Self-Hosted Runner for AWS
Set up the necessary IAM role and infrastructure using AWS CloudFormation:
- Click the "Launch Stack" button to automatically open the AWS Console and create the Flyingduck role ARN.
- Once the stack is launched, AWS will generate a new role ARN for the runner.
3. Add Flyingduck Role ARN
- Pass the created ARN in the input field provided.
This authenticates your AWS environment for Flyingduck runner operations.
4. Continue Setup
- Click Continue to proceed to the next step.
- If you need to revise, use the Back button.
5. Configure details
- Fill in the required details and click Continue. These details are used solely for display purposes and to help identify your runner; however, the launch template name must match exactly.
Upon successful configuration, a message stating "AWS Runner Setup successful" will be displayed.
Tip:
Ensure your AWS account has permissions to launch CloudFormation stacks and create IAM roles.
Integrate with Bitbucket
Integrate your Version Control System to manage and optimize issues efficiently. Before moving on to the next step in the Flyingduck make sure to login to the bitbucket website so that it will navigate to the bitbucket website and shows the available workspaces of that specific user. And need to have a work space in the bitbucket, move to workspace settings and make sure to enable the enable development mode in the installed apps section in the settings of bitbucket for all the required workspaces.
Enter your Bitbucket organization name exactly as it appears on bitbucket, then click Verify.
You will be redirected to Bitbucket. Click on grant access button on the bitbucket website to grant permission for Flyingduck app in selected workspace.
After granting the acces to the respective workspace flyingduck will intimate you that flyingduck will have only read access. Then click on Grant access button.
when you click on Grant access button, App will get installed. After successfully installing the app, a confirmation message saying "Workspace integrated successfully" will appear in the portal.
If the message does not appear, there may have been an issue during the integration process. Please contact our support team at support@flyingduck.io for assistance.
Branch Configuration
Branches configuration allows you to manage and customize monitored bitbucket branches for automated scanning.
You can configure branches into two main stages: Production and Release. Branches such as Release, Staging, or Testing can be included in the Release stage. All other branches will be considered feature branches by default.
This configuration allows you to prioritize important branches and gain better visibility into your development workflow. Flyingduck will scan the configured branches and track all unique issues found. With this setup, you can monitor how many issues are present at each stage and how many are resolved before reaching production.
You can configure continuous scanning for your repositories in two ways:
- Enable for all branches – scans all branches continuously.
- Scan for active branches – scans only the branches you specify.
Select the option that best fits your workflow, then click Continue. After saving, a confirmation message saying "Branches saved successfully" will appear.
Jira Integration (Optional)
Flyingduck can be integrated with Jira to streamline issue tracking by automatically creating and linking issues discovered during scans to your Jira project boards. This ensures efficient management and resolution of vulnerabilities.
Setup Steps:
- Enter your Jira domain (e.g.,
https://your-org.atlassian.net). - Enter the email ID associated with your Jira API token.
- Enter your Jira API token.
- Click Test Authentication to verify the connection, or Skip to configure it later.
Once successfully authenticated, Flyingduck will seamlessly link detected issues to your Jira boards, allowing you to monitor, prioritize, and resolve them directly within Jira.
CI/CD Workflow Integration (Optional)
Flyingduck can be integrated into your CI/CD pipelines to automatically scan code during pipeline execution. This ensures that security issues are detected early in the development process, preventing potential vulnerabilities from reaching production.
Setup Instructions:
- Add the Flyingduck scanner to your CI/CD configuration file.
- Configure the scanner to run before your build step.
- Optionally, set the scanner to fail the build if any security issues are detected.
Once configured, Flyingduck continuously monitors your code during pipeline execution, helping teams maintain secure and reliable development workflows.
CLI Integration
This integration provides a simple way to scan your codebase without doing any UI configuration.
Steps to Integrate:
-
Copy Your Flyingduck API Key:
Retrieve your API key from the Flyingduck portal. This is essential for authentication during scanning. -
Clone Your Repository:
Open your terminal and run:git clone <your-repository-url>Navigate into the cloned repository directory:
cd <your-repo-folder> -
Run the Docker Command:
Execute the following command to start the scan:docker run -e FD_API_KEY=<your-api-key> -v ${PWD}:/src --entrypoint /bin/bash flyingduckio/duckdefender:latest -c "duckdefender code --all"Replace
<your-api-key>with the actual API key copied earlier. -
View Scan Results:
The HEAD commit of the repository is scanned. Results, including potential security issues, will be displayed directly in the Flyingduck portal dashboard.
For advanced configurations and additional flags, visit the Flyingduck CLI documentation (opens in a new tab).
This streamlined guide aims to get you scanning quickly with Flyingduck, leveraging Docker and your API key for effortless security integration.
Workflow Integration
Integrate Flyingduck seamlessly into your CI/CD pipelines to automate security scanning and ensure vulnerabilities are caught early.
- Flyingduck scans your code on every commit, pull request, or build event within your existing CI/CD workflows.
- The integration requires minimal setup; simply add the Flyingduck scan step in your existing workflow script or create a new yamlfile
duckdefender.yamlwith the below content or you can download from the portal:
API Key configuration
After downloading the file go to BitBucket website -> workspaces (select your workspace) -> Repositories (select your repo) -> Repository settings. In the Repo settings:
- Go to Pipelines -> settings and enable the pipelines.
- Go to Pipelines -> Repository variables and enter the Api key name FD_API_KEY and Api Key value
After adding the file you should commit. Based on which branch you've commited, if the branch is included in the given file, the respective data like libraries, secrets will be sent to Flyingduck portal.
Yaml file Configuration
# Version: '2.1.2'
pipelines:
branches:
main:
- step: &DuckDefender
name: DuckDefender scanner
image: flyingduckio/duckdefender:latest
caches:
- docker
script:
# Define the DOCKER_TAG environment variable
- export DOCKER_TAG="flyingduckio/duckdefender:latest"
# Download image from docker hub
- docker pull $DOCKER_TAG
# Run the docker image
- docker run -e BITBUCKET_REPO_OWNER="$BITBUCKET_REPO_OWNER" -e BITBUCKET_REPO_SLUG="$BITBUCKET_REPO_SLUG" -e BITBUCKET_BRANCH="$BITBUCKET_BRANCH" -e BITBUCKET_COMMIT="$BITBUCKET_COMMIT" -e FD_API_KEY="$FD_API_KEY" -e PIPELINES_JWT_TOKEN="$PIPELINES_JWT_TOKEN" -e BITBUCKET_CLONE_DIR="$BITBUCKET_CLONE_DIR" -e ONLY_LATEST=True -v /opt/atlassian/pipelines/agent/build:/src $DOCKER_TAG
services:
- docker
# Triggers the workflow on push events
master:
- step: *DuckDefender
develop:
- step: *DuckDefender
release:
- step: *DuckDefenderCustom Branch
If you want to commit to the custom branch like feature/* or bug/* and to check the findings of that branch then include that specific branch into the branches in bitbucket-pipelines.yml file.
# Triggers the workflow on push events
master:
- step: *DuckDefender
develop:
- step: *DuckDefender
release:
- step: *DuckDefender
feature/*:
- step: *DuckDefender
bug/*:
- step: *DuckDefender- Results and detected issues are surfaced in the Flyingduck portal, enabling quick review and remediation.
Benefits:
- Continuous security checks without slowing down development.
- Detects vulnerabilities before code merges or deployment.
- Works with popular CI/CD tools such as GitHub Actions.
Click Continue after setting up to proceed with monitoring your pipeline scans in the portal.