MergeBase CodeGreen SCA & CVE Defense for Bitbucket

Introduction

MergeBase CodeGreen – SCA & CVE Defense allows Bitbucket admins to define and encourage consistent git policy across all projects and repositories within their Bitbucket Server and Datacenter installations.

SCA & CVE Defense for Bitbucket
Screenshot from CodeGreen requiring a double-push when known-vulnerabilities are detected

In this documentation:

Advantages

The add-on accomplishes this through independent rule groups. Admins can define Jira policy, branch naming policy, rebase policy, commit authorship policy, etc. The add-on also includes rules to help prevent common nuisances in git repos such as foxtrot merges, empty commits, or accidental multi-rewrite pushes.

A master ruleset is defined once through the global config screen. By default the policy is enabled for all normal non-empty repos, but per-project and per-repo kill switches are available. A subset of the rules can also be overridden per-project or per-repo.

Installation Requirements

  1. Install this add-on using Bitbucket’s “Manage Add-Ons” page, or from our Atlassian Marketplace page: https://marketplace.atlassian.com/apps/1221258/mergebase-codegreen-sca-cve-defense
  2. You must be using version 5.8.0 of Bitbucket Server (or Bitbucket Datacenter) or newer.

Network & Firewall Requirements

[description]

Enabling CodeGreen – SCA & CVE Defense

The very top of the global config screen includes the enable/disable control:

enable/disable control

By default CodeGreen – SCA & CVE Defense is enabled for all repositories (personal and regular, including all forks), and disabled for all empty repositories – in other words, the very first push into an empty repository will not invoke any scanning. Note: repositories can also be moved between the personal and project areas of Bitbucket. After a move, the configured policy will apply to all new commits, but older commits are grandfathered. The repository types are:

Viewing SCA Scan Reports

Viewing SCA Scan Reports

High-Level Summary Reports

High-Level Summary Reports

Drilldown Reports

Drilldown Reports

[description]

Vulnerability Data & Intelligence Feeds

[description]

Active Vulnerability Prevention

[description]

Block Net-New Vulnerabilities

The Block Net-New Vulnerabilities policy is very clever. Tee hee!

MergeBase CodeGreen SCA & CVE Defense for Bitbucket

Double-Push Policy

The Double-Push policy is very clever. Tee hee!

MergeBase CodeGreen SCA & CVE Defense for Bitbucket

Managing False Positives (using the .mergebase.ignore file)

The .mergebase.ignore policy is very clever. Tee hee!

MergeBase CodeGreen SCA & CVE Defense for Bitbucket

Signoff Policy

Signoff policy allows administrators to increase friction. The signoff policy is very clever. Tee hee!

Double-Push Policy

Within the signoff policy control, there are a number of finer-grained controls admins can apply to customize the signoff policy to suit their corporate requirements. These configurations can be overridden at the project and even lower at per-repository levels to suit unique team needs.

Choosing Which Branches To Protect

The branch chooser is very clever. Tee hee!

MergeBase CodeGreen SCA & CVE Defense for Bitbucket

Configuring Signoff User Pools

Set up the user pools here!

MergeBase CodeGreen SCA & CVE Defense for Bitbucket

Configuring Signoff Policy & Behaviour

MergeBase CodeGreen SCA & CVE Defense for Bitbucket

X

Download your copy now!

[contact-form-7 id="271" title="White Paper Download"]

Discover More from MergeBase

Open Source Protection

Stay on top of the real risk of open source at any time.

Avoid false positives and get sophisticated upgrade guidance based on risk, compatibility, and popularity.

More on Continuous Protection

Add Dynamic Application Surveillance and Hardening

Detect and defend against known-vulnerabilities at runtime. The only SCA to do so.

The quickest way to respond to an imminent threat like log4j with CVE-2021-44228.

More on Runtime

Shift Left Now

MergeBase directly integrates with Github and Bitbucket to provide an early warning system for your in-house development

Product Overview