CI/CD Merge Prevention
To add SailPoint Entro secret scanning into your CI/CD workflow add the following code to a file named bitbucket-pipelines.yml at the root of your repository.
image: atlassian/default-image:3
pipelines:
default:
- step:
name: Entro Security Scan
script:
- echo "Checking configuration..."
- 'if [ -z "$ENTRO_API_KEY" ]; then echo "Error: ENTRO_API_KEY is not set."; exit 1; fi'
- echo "Installing dependencies..."
- if ! command -v jq &> /dev/null; then if command -v apk &> /dev/null; then apk add --no-cache jq; elif command -v apt-get &> /dev/null; then apt-get update && apt-get install -y jq; fi; fi
- echo "Fetching diff..."
- |
if [ -n "$BITBUCKET_PR_DESTINATION_BRANCH" ]; then
git fetch origin "$BITBUCKET_PR_DESTINATION_BRANCH" >/dev/null 2>&1
git diff "origin/$BITBUCKET_PR_DESTINATION_BRANCH...HEAD" > diff.txt
else
if git rev-parse HEAD~1 >/dev/null 2>&1; then
git diff HEAD~1 HEAD > diff.txt
else
git show HEAD > diff.txt
fi
fi
- echo "Scanning for secrets..."
- |
set -e
if [ ! -s diff.txt ]; then echo "No changes to scan."; exit 0; fi
# Read diff content
DIFF_CONTENT=$(cat diff.txt)
PAYLOAD=$(jq -n --arg data "$DIFF_CONTENT" '{data: $data}')
RESPONSE=$(curl -s -X POST "https://api.entro.security/v2/scan" \
-H "Authorization: $ENTRO_API_KEY" \
-H "Content-Type: application/json" \
-d "$PAYLOAD")
COUNT=$(echo "$RESPONSE" | jq '.results | length')
if [ "$COUNT" -gt 0 ]; then
echo "[FAIL] Entro Security found $COUNT secret(s):"
echo "$RESPONSE" | jq -c '.results[]' | while read -r secret; do
ORIGIN=$(echo "$secret" | jq -r '.origin')
LINE=$(echo "$secret" | jq -r '.line')
FILE_LINE=$(cat diff.txt | head -n "$LINE" | grep "^+++ b/" | tail -n 1 || true)
if [ -n "$FILE_LINE" ]; then FILENAME=${FILE_LINE#"+++ b/"}; else FILENAME="unknown"; fi
echo " - $ORIGIN in $FILENAME (Diff Line: $LINE)"
done
exit 1
else
echo "[PASS] No secrets found."
fi
pull-requests:
'**':
- step:
name: Entro Security Scan (PR)
script:
- echo "Checking configuration..."
- 'if [ -z "$ENTRO_API_KEY" ]; then echo "Error: ENTRO_API_KEY is not set."; exit 1; fi'
- echo "Installing dependencies..."
- if ! command -v jq &> /dev/null; then if command -v apk &> /dev/null; then apk add --no-cache jq; elif command -v apt-get &> /dev/null; then apt-get update && apt-get install -y jq; fi; fi
- echo "Fetching diff..."
- |
if [ -n "$BITBUCKET_PR_DESTINATION_BRANCH" ]; then
git fetch origin "$BITBUCKET_PR_DESTINATION_BRANCH" >/dev/null 2>&1
git diff "origin/$BITBUCKET_PR_DESTINATION_BRANCH...HEAD" > diff.txt
else
git diff HEAD~1 HEAD > diff.txt
fi
- echo "Scanning for secrets..."
- |
set -e
if [ ! -s diff.txt ]; then echo "No changes to scan."; exit 0; fi
DIFF_CONTENT=$(cat diff.txt)
PAYLOAD=$(jq -n --arg data "$DIFF_CONTENT" '{data: $data}')
RESPONSE=$(curl -s -X POST "https://api.entro.security/v2/scan" \
-H "Authorization: $ENTRO_API_KEY" \
-H "Content-Type: application/json" \
-d "$PAYLOAD")
COUNT=$(echo "$RESPONSE" | jq '.results | length')
if [ "$COUNT" -gt 0 ]; then
echo "[FAIL] Entro Security found $COUNT secret(s):"
echo "$RESPONSE" | jq -c '.results[]' | while read -r secret; do
ORIGIN=$(echo "$secret" | jq -r '.origin')
LINE=$(echo "$secret" | jq -r '.line')
FILE_LINE=$(cat diff.txt | head -n "$LINE" | grep "^+++ b/" | tail -n 1 || true)
if [ -n "$FILE_LINE" ]; then FILENAME=${FILE_LINE#"+++ b/"}; else FILENAME="unknown"; fi
echo " - $ORIGIN in $FILENAME (Diff Line: $LINE)"
done
exit 1
else
echo "[PASS] No secrets found."
fi
Make sure that Pipelines are in enabled

The Pipeline uses a SailPoint Entro scan API key, once generated, add the API key into your repository's Pipelines 'Repository variables', available in the repository's settings.

Once a PR is created, the pipeline will run, detect and report secret exposures.

