Bitbucket Pipelines
Integrate Musha into Bitbucket Pipelines to scan every push and pull request.
Pipeline definition
Add to bitbucket-pipelines.yml:
image: alpine:latest
definitions:
steps:
- step: &musha-scan
name: Musha Security Scan
script:
- apk add --no-cache curl tar
- |
tar -czf scan.tar.gz \
--exclude='.git' \
--exclude='node_modules' \
--exclude='vendor' \
--exclude='.terraform' \
--exclude='target' \
.
- |
curl -fsS -X POST "$MUSHA_API_URL/v1/scans" \
-H "Authorization: Bearer $MUSHA_API_KEY" \
-F "files=@scan.tar.gz" \
-F "project_id=$MUSHA_PROJECT_ID" \
-F "branch=$BITBUCKET_BRANCH" \
-F "commit_hash=$BITBUCKET_COMMIT" \
-F "scan_type=full"
pipelines:
default:
- step: *musha-scan
pull-requests:
'**':
- step:
name: Musha Security Scan (PR)
script:
- apk add --no-cache curl tar
- tar -czf scan.tar.gz --exclude='.git' --exclude='node_modules' .
- |
curl -fsS -X POST "$MUSHA_API_URL/v1/scans" \
-H "Authorization: Bearer $MUSHA_API_KEY" \
-F "files=@scan.tar.gz" \
-F "project_id=$MUSHA_PROJECT_ID" \
-F "branch=$BITBUCKET_BRANCH" \
-F "commit_hash=$BITBUCKET_COMMIT" \
-F "scan_type=full"
Variables
Configure in Repository settings → Repository variables:
| Variable | Secured | Description |
|---|---|---|
MUSHA_API_URL | No | https://api.mushasec.com |
MUSHA_PROJECT_ID | No | Your project UUID from the Musha dashboard |
MUSHA_API_KEY | Yes | API key created in Settings → API Keys |
Mark MUSHA_API_KEY as Secured to mask it in logs.
note
Bitbucket Pipelines does not expose a built-in PR ID variable in the same way as GitHub or GitLab. Omitting pr_id from the request is fine — Musha will still scan and display results in the Security dashboard. PR comments on Bitbucket require the pr_id field; if you need it, you can extract it from the Bitbucket API using the BITBUCKET_PR_ID environment variable available in pull request pipelines.