Screenshot from Control Freak running a vulnerability scan.
bit-booster monster

Control Freak & MergeBase

Cyber Security Collaboration
 
February 2020
 

MergeBase Code Green
(Vulnerability Scans)

Introduction

Bit-Booster has teamed up with cyber security startup MergeBase to develop an innovative application security collaboration. The goal: defend software teams from the OWASP Top-10 risk: Software libraries with known vulnerabilities. The Control Freak plugin now performs free vulnerability scans (based on MergeBase's Code Green technology) against every git push.

If you find these scans useful:

If you DISLIKE these scans or find them annoying:

Full disclosure: Bit-Booster's founder is married to MergeBase's CTO.

Understanding Free Scans

[Work-in-progress...] Scans are only performed if the repository contains at least one file that matches any of the following naming patterns:
 
      **/gemfile.lock, **/package-lock.json, **/yarn.lock, **/pom.xml, **/*.pom

If a scan is performed, results are printed in response to successful "git push" operations. Results fall into two general cases:

  1. Vulnerabilities Found -
    remote: --------------------
    remote: Control-Freak / MergeBase free vulnerability scan results:
    remote:   Pushed commit (f4433f706d6da33) has at least 50 known vulnerabilities:
    remote:   15 critical, 20 high, 15 medium, 0 low.
    remote:
    remote: MergeBase Code Green manages vulns! Try a 30-day free trial:
    remote:   https://marketplace.atlassian.com/apps/1221258
    remote:
    remote: To learn more:
    remote:   https://bit-booster.com/control-freak-mergebase-code-green/
    remote:
    remote: (Vulnerability scan took: 330ms)
    remote: --------------------
    
  2. No Vulnerabilities Found -
    remote: --------------------
    remote: Control-Freak / MergeBase free vulnerability scan results:
    remote:   Pushed commit (488676f85d17dae) has 0 known vulnerabilities.
    remote:   Excellent! Keep up the good work!
    remote:
    remote: (Vulnerability scan took: 74ms)
    remote: --------------------
    

Disabling / Enabling

Look for the "Enable Code Green" (yes/no) setting on the following admin pages:

To enable or disable per-repository: Repository --> Settings --> Control Freak

To enable or disable per-project: Project --> Settings --> Control Freak

To enable or disable globally: Admin --> Settings --> Control Freak

Enable Code Green
Free known-vulnerability scans
provided by MergeBase

Trying Code-Green (Full Version)

Search for "Code Green" in your Bitbucket instance's plugin manager. Or install it from marketplace.atlassian.com.

Further Reading

Intro To SCA (Software Composition Analysis)