DevOps Tips

How to Include CoGuard CLI into BitBucket Pipelines

In this short article, we are going to show you an example script on how to include CoGuard’s CLI functionality into your BitBucket Pipelines.

Albert Heinle
Written by
Albert Heinle

What are CI/CD pipelines? What are Bitbucket pipelines?

Most code today is developed in a so-called agile fashion. There are many small releases on a frequent basis, compared to one large release every few months (or in some cases, years). To ensure that these small changes do not break intended functionality, changes are put through a few tests before they are accepted for deployment. Modern code-repository providers such as GitHub or Bitbucket are providing a framework to run these tests within their offering.

The tests usually range from simple linters, over to unit-tests, behavior tests and ultimately run-time tests. The code is also most of the time put through static analyzers to ensure that e.g. no memory or file descriptor leaks have made it in. Testing one’s infrastructure has started to also become one of the steps in this process, with scanners for “Infrastructure as Code” tools such as Terraform or Cloudformation.

The integration into these pipelines is usually done through scripts, and every Pipeline product has their own way of putting these scripts in. They are mostly very similar, using a YAML or YAML-like syntax to define the environment and certain commands. The process is simple, and we want to encourage more and more people to use CI/CD pipelines in general.

Bitbucket Pipelines example

Before you start, you should define a set of secure variables for your repository or your workspace:


This should use the credentials you registered with in CoGuard.

Another variable that you may wish to set (which is by default set to 1) is the minimum level of failed checks when you wish this job to fail. The supported levels are 1 to 5.

For details on secret and default variables, please see the documentation here.

The assumption of the script below is that, in a previous step, your custom docker image has been deployed with the image repository and name stored in the variable $DOCKER_IMAGE_NAME, and the tag has been the current build number.

    '**': #this runs as default for any branch not elsewhere defined
      - step:
            - apt update
            - apt install -y -q python3 python3-pip
            - pip3 install coguard-cli
            - coguard --minimum-fail-level=${MINIMUM_FAIL_LEVEL:-1} docker-image $DOCKER_IMAGE_NAME:$BITBUCKET_BUILD_NUMBER

  docker: true

For more complicated deployments, we will write follow-up articles. For local development, you can just install the CoGuard CLI via pip (instructions can be found here)

For questions and remarks, please contact

Static analysis
for config files

Automated tools for discovering, scanning and securing the configuration files for IaC, containers, applications and their interdependencies.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.