MergeBase CodeGreen SCA & CVE Defense for Bitbucket

Introduction

MergeBase CodeGreen – SCA & CVE Defense allows Bitbucket admins to define and encourage consistent git policy across all projects and repositories within their Bitbucket Server and Bitbucket Datacenter installations.

SCA & CVE Defense for Bitbucket
Screenshot from CodeGreen requiring a double-push when known-vulnerabilities are detected

Advantages

The add-on accomplishes this through independent rule groups. Admins can define Jira policy, branch naming policy, rebase policy, commit authorship policy, etc. The add-on also includes rules to help prevent common nuisances in git repos such as foxtrot merges, empty commits, or accidental multi-rewrite pushes.

A master ruleset is defined once through the global config screen. By default the policy is enabled for all normal non-empty repos, but per-project and per-repo kill switches are available. A subset of the rules can also be overridden per-project or per-repo.

Installation Requirements

  1. Install this add-on using Bitbucket’s “Manage Add-Ons” page, or from our Atlassian Marketplace page: https://marketplace.atlassian.com/apps/1221258/mergebase-codegreen-sca-cve-defense
  2. You must be using version 5.8.0 of Bitbucket Server (or Bitbucket Datacenter) or newer.

Network & Firewall Requirements

[description]

Enabling CodeGreen – SCA & CVE Defense

The very top of the global config screen includes the enable/disable control:

enable/disable control

By default CodeGreen – SCA & CVE Defense is enabled for all respositories (personal and regular, including all forks), and disabled for all empty repositories – in other words, the very first push into an empty repository will not invoke any scanning. Note: repositories can also be moved between the personal and project areas of Bitbucket. After a move, the configured policy will apply to all new commits, but older commits are grandfathered. The repository types are:

Viewing SCA Scan Reports

Viewing SCA Scan Reports

High-Level Summary Reports

High-Level Summary Reports

Drilldown Reports

Drilldown Reports

[description]

Vulnerability Data & Intelligence Feeds

[description]

Active Vulnerability Prevention

[description]

Block Net-New Vulnerabilities

The Block Net-New Vulnerabilities policy is very clever. Tee hee!

MergeBase CodeGreen SCA & CVE Defense for Bitbucket

Double-Push Policy

The Double-Push policy is very clever. Tee hee!

MergeBase CodeGreen SCA & CVE Defense for Bitbucket

Managing False Positives (using the .mergebase.ignore file)

The .mergebase.ignore policy is very clever. Tee hee!

MergeBase CodeGreen SCA & CVE Defense for Bitbucket

Signoff Policy

Signoff policy allows administrators to increase friction. The signoff policy is very clever. Tee hee!

Double-Push Policy

Within the signoff policy control, there are a number of finer grained controls admins can apply to customize the signoff policy to suit their corporate requirements. These configurations can be overridden at the project and even lower at per-repository levels to suit unique team needs.

Choosing Which Branches To Protect

The branch chooser is very clever. Tee hee!

MergeBase CodeGreen SCA & CVE Defense for Bitbucket

Configuring Signoff User Pools

Setup the user pools here!

MergeBase CodeGreen SCA & CVE Defense for Bitbucket

Configuring Signoff Policy & Behaviour

MergeBase CodeGreen SCA & CVE Defense for Bitbucket
X

Download your copy now!

[contact-form-7 id="271" title="White Paper Download"]

Discover More from MergeBase

Open Source Protection

Stay on top of the real risk of open source at any time.

Avoid false positives and get sophisticated upgrade guidance based on risk, compatibility and popularity.

More on Continuous Protection

Add RunTime Protection

Detect and defend against known-vulnerabilities at runtime. The only SCA to do so.

The quickest way to respond to an imminent threat like log4j with CVE-2021-44228.

More on Run-time Protection

Shift Left Now

CodeGreen is an early-warning defence for your in-house development and integrates directly into GitHub and BitBucket

More on BitBucket and Github apps