← All guides

Guide · 4 min

Add XploitScan to Bitbucket Pipelines

Add a single step to bitbucket-pipelines.yml and get security scans on every pull request. The report uploads as a pipeline artifact, and the build fails when a critical vulnerability hits the diff.

1

Add the step

If you don't already have bitbucket-pipelines.yml, create it at the repository root. Paste the block below; it uses YAML anchors so the same step runs on both PRs and main-branch commits.

bitbucket-pipelines.yml
# bitbucket-pipelines.yml
# Scans on every pull request and on commits to main. Uses the
# standard Node.js image; no custom Docker image needed.

image: node:20-alpine

definitions:
  steps:
    - step: &xploitscan
        name: XploitScan Security Scan
        script:
          - npm install -g xploitscan@^1.0.0
          - npx xploitscan scan . --format json --no-ai > xploitscan-results.json || true
          - npx xploitscan scan .  # human-readable output in the pipeline log
          # Fail if any critical findings are present. Swap "critical" →
          # "high" to block on high-severity too.
          - |
            if grep -q '"severity":"critical"' xploitscan-results.json; then
              echo "Critical vulnerability detected — failing pipeline"
              exit 1
            fi
        artifacts:
          - xploitscan-results.json

pipelines:
  pull-requests:
    '**':
      - step: *xploitscan
  branches:
    main:
      - step: *xploitscan
2

(Optional) Unlock Pro rules

Without an API key the CLI runs 30 free rules. Generate a Pro key in Settings → API Keys and add it as a secured repository variable.

Bitbucket UI steps
# In Bitbucket: Repository settings → Repository variables →
# Add secured variable:
#   Name:  XPLOITSCAN_API_KEY
#   Value: xpls_...
#   Secured: yes
#
# The CLI auto-reads the env var. No change to the YAML is needed.
3

Enable Pipelines & commit

If Pipelines is off for the repo, enable it in Repository settings → Pipelines → Settings. Then commit the YAML and open a PR — the XploitScan step runs automatically.

Troubleshooting

  • “Pipelines not enabled” error? Repository settings → Pipelines → Settings → toggle on. Free tier gives 50 build-minutes/month, enough for most projects.
  • Want report-only, no blocking? Delete thegrep block inside the script: section. The scan still uploads as an artifact; the pipeline just never fails on findings.
  • Scan slow on huge repos? Pass a path: xploitscan scan ./src. Excludes node_modules, .git, and other common junk by default.

Using GitHub or GitLab instead? Same CLI, different pipeline wrapper.

GitHub Actions guideGitLab CI guide