Skip to content

CI/CD Merge Prevention

To add SailPoint Entro secret scanning into your CI/CD workflow add the following code to a file named bitbucket-pipelines.yml at the root of your repository.

image: atlassian/default-image:3

pipelines:
  default:
    - step:
        name: Entro Security Scan
        script:
          - echo "Checking configuration..."
          - 'if [ -z "$ENTRO_API_KEY" ]; then echo "Error: ENTRO_API_KEY is not set."; exit 1; fi'

          - echo "Installing dependencies..."
          - if ! command -v jq &> /dev/null; then if command -v apk &> /dev/null; then apk add --no-cache jq; elif command -v apt-get &> /dev/null; then apt-get update && apt-get install -y jq; fi; fi

          - echo "Fetching diff..."
          - |
            if [ -n "$BITBUCKET_PR_DESTINATION_BRANCH" ]; then
              git fetch origin "$BITBUCKET_PR_DESTINATION_BRANCH" >/dev/null 2>&1
              git diff "origin/$BITBUCKET_PR_DESTINATION_BRANCH...HEAD" > diff.txt
            else
              if git rev-parse HEAD~1 >/dev/null 2>&1; then
                git diff HEAD~1 HEAD > diff.txt
              else
                git show HEAD > diff.txt
              fi
            fi

          - echo "Scanning for secrets..."
          - |
            set -e
            if [ ! -s diff.txt ]; then echo "No changes to scan."; exit 0; fi

            # Read diff content
            DIFF_CONTENT=$(cat diff.txt)

            PAYLOAD=$(jq -n --arg data "$DIFF_CONTENT" '{data: $data}')
            RESPONSE=$(curl -s -X POST "https://api.entro.security/v2/scan" \
              -H "Authorization: $ENTRO_API_KEY" \
              -H "Content-Type: application/json" \
              -d "$PAYLOAD")

            COUNT=$(echo "$RESPONSE" | jq '.results | length')
            if [ "$COUNT" -gt 0 ]; then
              echo "[FAIL] Entro Security found $COUNT secret(s):"
              echo "$RESPONSE" | jq -c '.results[]' | while read -r secret; do
                ORIGIN=$(echo "$secret" | jq -r '.origin')
                LINE=$(echo "$secret" | jq -r '.line')
                FILE_LINE=$(cat diff.txt | head -n "$LINE" | grep "^+++ b/" | tail -n 1 || true)
                if [ -n "$FILE_LINE" ]; then FILENAME=${FILE_LINE#"+++ b/"}; else FILENAME="unknown"; fi
                echo " - $ORIGIN in $FILENAME (Diff Line: $LINE)"
              done
              exit 1
            else
              echo "[PASS] No secrets found."
            fi
  pull-requests:
    '**':
      - step:
          name: Entro Security Scan (PR)
          script:
            - echo "Checking configuration..."
            - 'if [ -z "$ENTRO_API_KEY" ]; then echo "Error: ENTRO_API_KEY is not set."; exit 1; fi'

            - echo "Installing dependencies..."
            - if ! command -v jq &> /dev/null; then if command -v apk &> /dev/null; then apk add --no-cache jq; elif command -v apt-get &> /dev/null; then apt-get update && apt-get install -y jq; fi; fi

            - echo "Fetching diff..."
            - |
              if [ -n "$BITBUCKET_PR_DESTINATION_BRANCH" ]; then
                git fetch origin "$BITBUCKET_PR_DESTINATION_BRANCH" >/dev/null 2>&1
                git diff "origin/$BITBUCKET_PR_DESTINATION_BRANCH...HEAD" > diff.txt
              else
                git diff HEAD~1 HEAD > diff.txt
              fi

            - echo "Scanning for secrets..."
            - |
              set -e
              if [ ! -s diff.txt ]; then echo "No changes to scan."; exit 0; fi

              DIFF_CONTENT=$(cat diff.txt)

              PAYLOAD=$(jq -n --arg data "$DIFF_CONTENT" '{data: $data}')
              RESPONSE=$(curl -s -X POST "https://api.entro.security/v2/scan" \
                -H "Authorization: $ENTRO_API_KEY" \
                -H "Content-Type: application/json" \
                -d "$PAYLOAD")

              COUNT=$(echo "$RESPONSE" | jq '.results | length')
              if [ "$COUNT" -gt 0 ]; then
                echo "[FAIL] Entro Security found $COUNT secret(s):"
                echo "$RESPONSE" | jq -c '.results[]' | while read -r secret; do
                  ORIGIN=$(echo "$secret" | jq -r '.origin')
                  LINE=$(echo "$secret" | jq -r '.line')
                  FILE_LINE=$(cat diff.txt | head -n "$LINE" | grep "^+++ b/" | tail -n 1 || true)
                  if [ -n "$FILE_LINE" ]; then FILENAME=${FILE_LINE#"+++ b/"}; else FILENAME="unknown"; fi
                  echo " - $ORIGIN in $FILENAME (Diff Line: $LINE)"
                done
                exit 1
              else
                echo "[PASS] No secrets found."
              fi

Make sure that Pipelines are in enabled

The Pipeline uses a SailPoint Entro scan API key, once generated, add the API key into your repository's Pipelines 'Repository variables', available in the repository's settings.

Once a PR is created, the pipeline will run, detect and report secret exposures.