Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 16 additions & 7 deletions templates/bitbucket/bitbucket_insights.py
Original file line number Diff line number Diff line change
Expand Up @@ -71,19 +71,28 @@ def publish_insights(sarif_path: str):
})

report_id = "gitgalaxy-audit-report"
base_url = f"http://localhost:29418/2.0/repositories/{workspace}/{repo}/commit/{commit}/reports/{report_id}"
# Bitbucket's proxy requires HTTP (not HTTPS) to automatically inject the Auth header
base_url = f"http://api.bitbucket.org/2.0/repositories/{workspace}/{repo}/commit/{commit}/reports/{report_id}"

# 4. Create the Parent Report (PUT)
# 4. Set up the Proxy Handler for Bitbucket Pipelines
proxy_handler = urllib.request.ProxyHandler({
'http': 'http://localhost:29418',
'https': 'http://localhost:29418'
})
opener = urllib.request.build_opener(proxy_handler)
urllib.request.install_opener(opener)

# Create the Parent Report (PUT)
report_payload = json.dumps({
"title": "GitGalaxy Spectral Audit",
"details": f"GitGalaxy mapped {len(bitbucket_annotations)} architectural threats.",
"report_type": "SECURITY",
"result": "FAILED" if any(a["severity"] == "HIGH" for a in bitbucket_annotations) else "PASSED"
}).encode("utf-8")

# Enforce loopback destination boundaries to neutralize remote protocol exploits
if not base_url.startswith("http://localhost:29418/"):
print("❌ Security Violation: Invalid localized API destination.")
# Enforce API destination boundaries to neutralize remote protocol exploits
if not base_url.startswith("http://api.bitbucket.org/"):
print("❌ Security Violation: Invalid API destination.")
sys.exit(1)

req = urllib.request.Request(base_url, data=report_payload, method="PUT")
Expand All @@ -105,8 +114,8 @@ def publish_insights(sarif_path: str):
chunk = bitbucket_annotations[i:i + chunk_size]
chunk_payload = json.dumps(chunk).encode("utf-8")

if not annotations_url.startswith("http://localhost:29418/"):
print("❌ Security Violation: Invalid localized API destination.")
if not annotations_url.startswith("http://api.bitbucket.org/"):
print("❌ Security Violation: Invalid API destination.")
sys.exit(1)

req = urllib.request.Request(annotations_url, data=chunk_payload, method="POST")
Expand Down
Loading