Bitbucket Pipelines

Configuración previa

Añade las variables en Repository settings → Pipelines → Repository variables:

Variable	Secured	Descripción
GERION_API_URL	No	URL del Gerion API Gateway
GERION_API_KEY	Sí	API key M2M de tu organización

Pipeline completo

Copia este contenido en la raíz de tu repositorio como bitbucket-pipelines.yml:

image: ghcr.io/gerion-appsec/gerion-cli:latest

definitions:
  steps:

    - step: &secrets-scan
        name: Secrets Scan
        script:
          - gerion secrets-scan .
        environment:
          GERION_REPO_NAME: $BITBUCKET_REPO_SLUG
          GERION_BRANCH_NAME: $BITBUCKET_BRANCH
          GERION_COMMIT_HASH: $BITBUCKET_COMMIT
          GERION_BUILD_ID: $BITBUCKET_BUILD_NUMBER

    - step: &sca-scan
        name: SCA Scan (Dependencies)
        script:
          - gerion sca-scan .
        environment:
          GERION_REPO_NAME: $BITBUCKET_REPO_SLUG
          GERION_BRANCH_NAME: $BITBUCKET_BRANCH
          GERION_COMMIT_HASH: $BITBUCKET_COMMIT
          GERION_BUILD_ID: $BITBUCKET_BUILD_NUMBER

    - step: &iac-scan
        name: IaC Scan
        script:
          - gerion iac-scan .
        environment:
          GERION_REPO_NAME: $BITBUCKET_REPO_SLUG
          GERION_BRANCH_NAME: $BITBUCKET_BRANCH
          GERION_COMMIT_HASH: $BITBUCKET_COMMIT
          GERION_BUILD_ID: $BITBUCKET_BUILD_NUMBER

    - step: &sast-scan
        name: SAST Scan
        script:
          - gerion sast-scan .
        environment:
          GERION_REPO_NAME: $BITBUCKET_REPO_SLUG
          GERION_BRANCH_NAME: $BITBUCKET_BRANCH
          GERION_COMMIT_HASH: $BITBUCKET_COMMIT
          GERION_BUILD_ID: $BITBUCKET_BUILD_NUMBER

    - step: &scan-all
        name: Full Security Scan
        script:
          - gerion scan-all .
        environment:
          GERION_REPO_NAME: $BITBUCKET_REPO_SLUG
          GERION_BRANCH_NAME: $BITBUCKET_BRANCH
          GERION_COMMIT_HASH: $BITBUCKET_COMMIT
          GERION_BUILD_ID: $BITBUCKET_BUILD_NUMBER

    - step: &pdf-report
        name: Generate PDF Report
        script:
          - >
            gerion report
            --format pdf
            --output-file gerion-report.pdf
            --severity HIGH
            --active-only
        environment:
          GERION_REPO_NAME: $BITBUCKET_REPO_SLUG
          GERION_BRANCH_NAME: $BITBUCKET_BRANCH
        artifacts:
          - gerion-report.pdf

pipelines:
  default:
    - parallel:
        - step: *secrets-scan
        - step: *sca-scan
        - step: *iac-scan
        - step: *sast-scan

  branches:
    main:
      - parallel:
          - step: *secrets-scan
          - step: *sca-scan
          - step: *iac-scan
          - step: *sast-scan
      - step: *pdf-report

    develop:
      - step: *scan-all

  pull-requests:
    '**':
      - step: *scan-all

  custom:
    # Configura el schedule en: Repository settings → Pipelines → Schedules
    nightly:
      - step: *scan-all
      - step: *pdf-report

Nota

Los YAML anchors (&nombre / *nombre) permiten definir un step una vez en definitions: y reutilizarlo múltiples veces. Cualquier cambio en la definición se propaga automáticamente a todos los pipelines que lo referencian.

Notas

• Al usar image: en el nivel superior, el CLI se ejecuta directamente como contenedor del step sin necesidad de docker run.
• Gerion CLI no detecta automáticamente las variables de Bitbucket. El pipeline las mapea explícitamente desde BITBUCKET_REPO_SLUG, BITBUCKET_BRANCH, BITBUCKET_COMMIT y BITBUCKET_BUILD_NUMBER.
• Los artifacts declarados en un step se conservan y son descargables desde la interfaz de Bitbucket.
• Los pipelines custom: se activan manualmente o mediante schedules configurados en la UI de Bitbucket.