Configure and Enable Developer Platform for Bitbucket Cloud
This document assumes you have read the following documents:
Mend Platform Rollout Overview
Cloud Repository Rollout
Setting up the Mend UI for the Develop Platform Integration
Please read those documents prior to continuing
Setting Up the Mend Integration
The repository integration can be onboarded either silently or by pushing a configuration file into the repository for Mend to scan. This section will go over the implementation of both approaches.
Silent Rollout
Starting off with alerts can be disruptive for development teams that are not ready for the integration. A Silent Rollout allows an organization to scan all their repositories in order to understand their security posture without overwhelming their developers.
Once you are ready follow the documentation to Install Developer Platform for Bitbucket Cloud
When prompted to active on repositories select “All Repositories”
Select “Scan Only” Scan Behavior
Click “Confirm”
Phased Rollout
Mend Developer Platform for Bitbucket Cloud is configured through the user interface available developer.mend.io. Since this interface allows you to toggle various Mend features either globally or locally to that repo, it is given access to all the repositories of an entire workspace. To prevent a “Big Bang” where all developers suddenly have Mend results in their repositories each section should be followed in order for a smooth rollout process.
Create a Test Repository
It is important to do this prior to installing the Mend Developer Platform. After installation, there is a 6-8 hour sync of new repositories that can only be bypassed by removing and reinstalling the Mend Developer Platform.
To reduce noise, before the integration is installed create a test repository copying code from one of your own in-house repositories. This repository will be used to test and verify the integration settings before adding additional repositories.
Once you are ready follow the documentation to Install Developer Platform for Bitbucket Cloud
Make sure the integration only has access to the test repository created above by selecting “Only Selected Repositories”
Search for the Repository you wish to onboard
Do not give app access to other repositories yet
Select “Scan and alert” Scan Behavior
Click “Confirm”
You will see all of your repositories within the Developer Platform. However since “Only Selected Repositories” was used, all settings should be off globally and only the test repositories should have enabled settings.
Next Steps
Modify your result consumption settings by following: Enable Results Consumption for Developer Platform for Bitbucket Cloud