Bitbucket Integration for IaC Security
Qualys TotalCloud's Bitbucket integration brings infrastructure-as-code security scanning directly into the development pipeline, enabling teams to detect cloud misconfigurations before resources are deployed rather than after. By scanning IaC templates against Qualys security controls during pull and push requests, security teams gain continuous visibility of the security posture of their IaC templates without waiting for post-deployment assessment. This shift-left approach reduces remediation costs and complexity by catching configuration issues when they are easiest to fix. The integration addresses the critical gap between development workflows and security validation, allowing organizations to maintain security compliance standards throughout the infrastructure provisioning process.
Security scans in the current continuous integration and continuous deployment (CI/CD) environment are typically run on cloud resources after deployment. As a result, cloud resource security is evaluated only after infrastructure is provisioned in the respective cloud accounts, potentially delaying to identification and remediation of configuration issues.
With the introduction of the Infrastructure as Code (IaC) security feature in Qualys TotalCloud, organizations can analyze IaC templates during development. This capability allows teams to evaluate cloud resource configurations defined in templates and validate them against security and compliance policies before infrastructure provisioning activities begin.
Qualys TotalCloud integrates with Bitbucket via a pipeline script that scans IaC templates stored in Bitbucket repositories. The pipeline executes security checks against Qualys TotalCloud security controls, and reports failed checks for each pipeline run. The scan results help teams review security findings and take remediation actions directly within their development workflow.
For supported templates, other integrations, and features of Cloud IaC Security, refer to TotalCloud Online Help and TotalCloud API User Guide.
Scan IaC Template at Bitbucket
The Bitbucket integration allows you to perform IaC scans on the pull and push requests at the Bitbucket repositories. We provide you with a pipeline script and options that can be configured to run based on various triggers.
You can perform IaC scan on either of the following:
- The entire repository for the branch where the pull/manual/scheduled event was performed.
- The templates that were newly added to the branch.
The results are generated within Bitbucket pipeline output that provides you with proactive visibility into the security of your IaC templates residing in Bitbucket repositories.
Pre-requisites
- Ensure that you have a valid Qualys subscription to the Qualys Cloud Security Assessment app.
- Before you trigger IaC scans in Bitbucket, ensure that you configure environment variables that are used in the script.
Next step: