Integrating CodeScan into your Bitbucket pipeline is easy with our sfdx plugin! There are only a few lines to add to your .YML file to run codescan when a build is triggered.
The following is based on a docker pipeline with Java and Node installed in the container.
First, we'll need to add your CodeScan token as a variable we can access in our .YML file.
- Open your project and navigate to Repository Settings>Repository Variables (you'll find this under Pipelines).
- Add your token with the name codescan_token and check the Secured box . To learn how to generate a token, see our Generating a Security Token article.
Now you'll be able to access this variable by using $codescan_token in your .YML file.
Add the following into your .YML file:
image: joeferner/node-java #Your docker image, complete with node and java (8+) installed. pipelines: default: - step: caches: - node script: # The first part of this script installs the Salesforce CLI - mkdir /tmp/sfdx - wget -q https://developer.salesforce.com/media/salesforce-cli/sfdx-linux-amd64.tar.xz -O /tmp/sfdx/sfdx-linux-amd64.tar.xz - tar xJf /tmp/sfdx/sfdx-linux-amd64.tar.xz -C /tmp/sfdx/ --strip-components 1 - /tmp/sfdx/install # The second part, installs the codescan plugin - echo y|sfdx plugins:install sfdx-codescan-plugin # The last line is used to run the analysis using the codescan plugin - sfdx codescan:run --token=$codescan_token --projectkey=your-project-key --organization=your-organization-key -Dsonar.branch.name=$BITBUCKET_BRANCH -Dsonar.branch.target=$BITBUCKET_PR_DESTINATION_BRANCH
The branches names and types are set by the following parameters:
- sonar.branch.type: this is SHORT or LONG as described in the Branching Article
- sonar.branch.target: the comparison branch for SHORT type branches.
- sonar.branch.name: the name of the branch.
By writing a conditional in your script that determines what triggered the build and defining the branch type, name and target using Bitbucket pipeline's built in variables, you can create a project that gives you visibility on your new code while allowing you to plan your refactoring effort.
By default, the CodeScan SFDX plugin will fail if the Quality Gate fails. If you would prefer that the build passes despite the quality gate, use the --nofail tag when calling sfdx codescan:run.
You can find a complete list of flags and examples on our npm plugin page.