One in Six Developers in Healthcare Report Open Source Breaches | Press Release

blog-logo Sonatype Blog

Keep Applications Secure in Atlassian Bitbucket with Automated Pull Requests

April 22, 2020 By Kevin Miller

As development organizations seek to innovate faster and build more secure applications at scale, one of the trends we’re seeing is the desire to automate dependency management and bring security into the places where developers spend most of their time.

This was evident in our 2019 State of the Software Supply Chain Report where we analyzed 36,203 open source components from the Central Repository to determine how effectively development teams update their OSS dependencies and fix vulnerabilities. We found that exemplary dev teams are 12x more likely to have automated tools to manage OSS dependencies, and those teams experience a 55% reduction in the use of vulnerable OSS components, highlighting the need to move towards automation.

While assembling code, developers often use source control management systems (SCMs), like GitHub, GitLab, and Atlassian Bitbucket. As we point out in our Policy Evaluation Guide, SCMs are often the first place where a piece of code gets shared and reviewed by both humans and machines. More and more automated dependency management solutions are coming to the market that integrate into source control, however, we have heard from our customers that these solutions are quickly turned off because they produce a lot of “noise” and send multiple alerts that aren’t helpful to developers. They also don’t make recommendations based specifically on an organization's open source policy, instead just suggesting the next non-vulnerable version.

That is why we have focused our attention on integrating Nexus Lifecycle with many SCM tools and are releasing automated pull requests with Atlassian Bitbucket, which will fix security vulnerabilities and automatically maintain the quality of your open source dependencies. Unlike other solutions, we leverage the precise data in Nexus Intelligence to provide expert remediation guidance based on your organization's open source policies, eliminating the noise, false-positives, and haphazard updates from other vendors.

Automated Pull Requests from Nexus Lifecycle work with both Bitbucket Server and Bitbucket Cloud

Below is a screenshot of a pull request in Bitbucket Cloud for a policy violation. The component has an available version that remediates the vulnerabilities.

Now individual developers can easily see the version to migrate to in their Bitbucket pull request based on their open source policy. They have detailed information about the violation, with direct links to any security vulnerabilities, as well as the link to the full policy report in Nexus Lifecycle.

We aren’t stopping there. Look for updates on Bitbucket Code Insights where we include precise intelligence on the quality of the code, contextual feedback on the individual branch you’re working on, and build status updates on changes you just made. We’re working to make sure developers have all the information they need to make better component decisions at the right time based on our trusted recommendations.

Tags: atlassian, AppSec, automation, bitbucket, featured, Product

Written by Kevin Miller

Kevin Miller is a Product Marketing Manager at Sonatype where he works to empower the development community to shift component choice and security left. He believes that putting the right tools and options in the hands of developers will help accelerate software innovation and minimize open source risk.