{"id":23624863,"url":"https://github.com/hcl-tech-software/bitbucket-asoc-sast","last_synced_at":"2025-08-31T00:31:32.451Z","repository":{"id":103911475,"uuid":"398381280","full_name":"HCL-TECH-SOFTWARE/bitbucket-asoc-sast","owner":"HCL-TECH-SOFTWARE","description":"This is a linux docker image that uses python to download the SAClientUtil from  HCL AppScan on Cloud and run static analysis against a build application in Bitbucket pipelines.","archived":false,"fork":false,"pushed_at":"2024-11-14T19:08:32.000Z","size":57,"stargazers_count":3,"open_issues_count":4,"forks_count":8,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-08-29T12:44:56.248Z","etag":null,"topics":["appscan"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HCL-TECH-SOFTWARE.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-20T19:29:58.000Z","updated_at":"2025-08-15T22:50:09.000Z","dependencies_parsed_at":"2023-10-11T23:24:32.538Z","dependency_job_id":null,"html_url":"https://github.com/HCL-TECH-SOFTWARE/bitbucket-asoc-sast","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/HCL-TECH-SOFTWARE/bitbucket-asoc-sast","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HCL-TECH-SOFTWARE%2Fbitbucket-asoc-sast","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HCL-TECH-SOFTWARE%2Fbitbucket-asoc-sast/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HCL-TECH-SOFTWARE%2Fbitbucket-asoc-sast/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HCL-TECH-SOFTWARE%2Fbitbucket-asoc-sast/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HCL-TECH-SOFTWARE","download_url":"https://codeload.github.com/HCL-TECH-SOFTWARE/bitbucket-asoc-sast/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HCL-TECH-SOFTWARE%2Fbitbucket-asoc-sast/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272926172,"owners_count":25016423,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-30T02:00:09.474Z","response_time":77,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appscan"],"created_at":"2024-12-27T21:16:52.278Z","updated_at":"2025-08-31T00:31:31.628Z","avatar_url":"https://github.com/HCL-TECH-SOFTWARE.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Bitbucket Pipe for HCL AppScan on Cloud Static Analysis\nThis repo contains windows/linux docker image that uses python to download the SAClientUtil from HCL AppScan on Cloud and run static analysis against an application in Bitbucket pipelines. The script also will wait for the scan to complete and download a scan summary json file and a scan report. These files are all placed in a directory \"reports\" so they can be saved as artifacts of the pipeline. See the bitbucket-pipelines.yml example below. Most builds can happen on the linux image, but some projects, like .NET projects must be built on windows.\n\n### Variables\n\nThe pipe has 13 variables.\n\n| Variable |  Required | Description |\n|---|---|---|\n| API_KEY_ID | Required | The HCL AppScan on Cloud API Key ID |\n| API_KEY_SECRET | Required | The HCL AppScan on Cloud API Key Secret |\n| APP_ID | Required | The application Id of the app in AppScan on Cloud |\n| TARGET_DIR | Required | The directory to be scanned. Place scan targets here. |\n| CONFIG_FILE_PATH | Optional | Relative path from the repo root to an appscan config xml file. |\n| SECRET_SCANNING | Optional | True or False. Enables or disables the secret scanning feature. |\n| REPO | Optional | The Repository name. Only really used to make filenames and comments relevant. |\n| BUILD_NUM | Optional | The Bitbucket build number. Used to make filenames and comments relevant. |\n| SCAN_NAME | Optional | The name of the scan in AppScan on Cloud |\n| DATACENTER | Optional | ASoC Datacenter to connect to: \"NA\" (default) or \"EU\", or an AppScan 360 url |\n| DEBUG | Optional | If true, prints additional debug info to the log. |\n| STATIC_ANALYSIS_ONLY | Optional | If true, only prepare for static analysis during IRX generation. |\n| OPEN_SOURCE_ONLY | Optional | If true, only gather opensource information during IRX generation. |\n\n**Note about specifying a config file. Providing a config file can override other settings like `TARGET_DIR` or `SECRET_SCANNING`\n\n### Example bitbucket-pipelines.yml step\n\nThe following is the bitbucket-pipelines.yml file from my demo repository that makes use of this custom pipe.\n\n```yaml\nimage: gradle:6.6.0\n\npipelines:\n  default:\n    - step:\n        name: Build and Test\n        caches:\n          - gradle\n        script:\n          - cd \"AltoroJ 3.1.1\"\n          - gradle build\n          - ls -la build/libs\n        artifacts:\n          - AltoroJ 3.1.1/build/libs/altoromutual.war\n        after-script:\n          - pipe: atlassian/checkstyle-report:0.3.0\n    - step:\n        name: ASoC SAST Scan\n        script:\n          # Custom Pipe to run Static Analysis via HCL AppScan on Cloud\n          # View README: https://github.com/cwtravis/bitbucket-asoc-sast\n          - pipe: docker://cwtravis1/bitbucket_asoc_sast:test\n            variables:\n              # Required Variables\n              API_KEY_ID: $API_KEY_ID\n              API_KEY_SECRET: $API_KEY_SECRET\n              APP_ID: $APP_ID\n              TARGET_DIR: $BITBUCKET_CLONE_DIR/AltoroJ 3.1.1/build/libs\n              # Optional Variables\n              DATACENTER: \"NA\"\n              SECRET_SCANNING: \"true\"\n              CONFIG_FILE_PATH: \"appscan-config.xml\"\n              REPO: $BITBUCKET_REPO_FULL_NAME\n              BUILD_NUM: $BITBUCKET_BUILD_NUMBER\n              SCAN_NAME: \"ASoC_SAST_BitBucket\"\n              DEBUG: \"true\"\n              STATIC_ANALYSIS_ONLY: \"false\"\n              OPEN_SOURCE_ONLY: \"false\"\n        artifacts:\n          - reports/*\n```\n\n### Building The Image\n\nFeel free to use my docker images just as shown in the example pipeline above. You can also use the following commands to build your own images and push to your dockerhub. Replace `\u003cYOUR_DOCKERHUB\u003e` with your dockerhub username.\n\nBuild and Push the Linux Image:\n```shell\ngit clone https://github.com/cwtravis/bitbucket-asoc-sast.git\ncd bitbucket-asoc-sast/linux\ndocker build -t asoc_sast_linux .\ndocker tag asoc_sast_linux \u003cYOUR_DOCKERHUB\u003e/bitbucket_asoc_sast:linux\ndocker push \u003cYOUR_DOCKERHUB\u003e/bitbucket_asoc_sast:linux\n```\n\nOnce your image is built, you can use them as in the example pipeline above.\n\n```yaml\n...\n    - step:\n        name: ASoC SAST Scan\n        script:\n          - pipe: docker://\u003cYOUR_DOCKERHUB\u003e/bitbucket_asoc_sast:linux\n            variables:\n              # Required Variables\n              API_KEY_ID: $API_KEY_ID\n              API_KEY_SECRET: $API_KEY_SECRET\n              APP_ID: $ASOC_APP_ID\n              DATACENTER: \"NA\"\n              SECRET_SCANNING: \"true\"\n              CONFIG_FILE_PATH: \"appscan-config.xml\"\n              TARGET_DIR: $BITBUCKET_CLONE_DIR/AltoroJ 3.1.1/build/libs\n              # Optional Variables\n              REPO: $BITBUCKET_REPO_FULL_NAME\n              BUILD_NUM: $BITBUCKET_BUILD_NUMBER\n              SCAN_NAME: \"HCL_ASoC_SAST\"\n              DEBUG: \"false\"\n        artifacts:\n          - reports/*\n```\n\n### Windows image is still under construction and does not work. \n\nIf you have any questions raise an issue in this repo.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhcl-tech-software%2Fbitbucket-asoc-sast","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhcl-tech-software%2Fbitbucket-asoc-sast","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhcl-tech-software%2Fbitbucket-asoc-sast/lists"}