Bitbucket Pipelines

Prerequisites

Add the variables in Repository settings → Pipelines → Repository variables:

Variable	Secured	Description
GERION_API_URL	No	Gerion API Gateway URL
GERION_API_KEY	Yes	M2M API key for your organization

Full pipeline

Copy this content to the root of your repository as bitbucket-pipelines.yml:

image: ghcr.io/gerion-appsec/gerion-cli:latest

definitions:
  steps:

    - step: &secrets-scan
        name: Secrets Scan
        script:
          - gerion secrets-scan .
        environment:
          GERION_REPO_NAME: $BITBUCKET_REPO_SLUG
          GERION_BRANCH_NAME: $BITBUCKET_BRANCH
          GERION_COMMIT_HASH: $BITBUCKET_COMMIT
          GERION_BUILD_ID: $BITBUCKET_BUILD_NUMBER

    - step: &sca-scan
        name: SCA Scan (Dependencies)
        script:
          - gerion sca-scan .
        environment:
          GERION_REPO_NAME: $BITBUCKET_REPO_SLUG
          GERION_BRANCH_NAME: $BITBUCKET_BRANCH
          GERION_COMMIT_HASH: $BITBUCKET_COMMIT
          GERION_BUILD_ID: $BITBUCKET_BUILD_NUMBER

    - step: &iac-scan
        name: IaC Scan
        script:
          - gerion iac-scan .
        environment:
          GERION_REPO_NAME: $BITBUCKET_REPO_SLUG
          GERION_BRANCH_NAME: $BITBUCKET_BRANCH
          GERION_COMMIT_HASH: $BITBUCKET_COMMIT
          GERION_BUILD_ID: $BITBUCKET_BUILD_NUMBER

    - step: &sast-scan
        name: SAST Scan
        script:
          - gerion sast-scan .
        environment:
          GERION_REPO_NAME: $BITBUCKET_REPO_SLUG
          GERION_BRANCH_NAME: $BITBUCKET_BRANCH
          GERION_COMMIT_HASH: $BITBUCKET_COMMIT
          GERION_BUILD_ID: $BITBUCKET_BUILD_NUMBER

    - step: &scan-all
        name: Full Security Scan
        script:
          - gerion scan-all .
        environment:
          GERION_REPO_NAME: $BITBUCKET_REPO_SLUG
          GERION_BRANCH_NAME: $BITBUCKET_BRANCH
          GERION_COMMIT_HASH: $BITBUCKET_COMMIT
          GERION_BUILD_ID: $BITBUCKET_BUILD_NUMBER

    - step: &pdf-report
        name: Generate PDF Report
        script:
          - >
            gerion report
            --format pdf
            --output-file gerion-report.pdf
            --severity HIGH
            --active-only
        environment:
          GERION_REPO_NAME: $BITBUCKET_REPO_SLUG
          GERION_BRANCH_NAME: $BITBUCKET_BRANCH
        artifacts:
          - gerion-report.pdf

pipelines:
  default:
    - parallel:
        - step: *secrets-scan
        - step: *sca-scan
        - step: *iac-scan
        - step: *sast-scan

  branches:
    main:
      - parallel:
          - step: *secrets-scan
          - step: *sca-scan
          - step: *iac-scan
          - step: *sast-scan
      - step: *pdf-report

    develop:
      - step: *scan-all

  pull-requests:
    '**':
      - step: *scan-all

  custom:
    # Configure the schedule at: Repository settings → Pipelines → Schedules
    nightly:
      - step: *scan-all
      - step: *pdf-report

Note

YAML anchors (&name / *name) let you define a step once in definitions: and reuse it multiple times. Any change to the definition propagates automatically to all pipelines that reference it.

Notes

• When using image: at the top level, the CLI runs directly as the step container without needing docker run.
• Gerion CLI does not automatically detect Bitbucket variables. The pipeline maps them explicitly from BITBUCKET_REPO_SLUG, BITBUCKET_BRANCH, BITBUCKET_COMMIT, and BITBUCKET_BUILD_NUMBER.
• Artifacts declared in a step are preserved and downloadable from the Bitbucket UI.
• custom: pipelines are triggered manually or via schedules configured in the Bitbucket UI.