🔘Pynt for Bitbucket pipelines

Integrate Pynt with Bitbucket Pipelines for automated API security testing. Enhance your CI/CD pipeline by adding Pynt’s dynamic security scans to your Bitbucket workflows with minimal setup.

What is Bitbucket Pipelines?

💡 Bitbucket Pipelines allows you to automate workflows for building, testing, and deploying code directly from your Bitbucket repositories. With a YAML-based configuration, you can define pipelines that run on every push, pull request, or scheduled trigger.


Pynt’s Integration with Bitbucket Pipelines

As part of its API security testing suite, Pynt allows seamless integration with Bitbucket Pipelines.

Pynt for Bitbucket Pipelines enables you to automatically perform API security tests within your CI/CD workflow. This integration captures real API traffic during test or application runs, then analyzes it for security vulnerabilities such as BOLA, misconfigured headers, authentication issues, and more.


Bitbucket Pipelines Configuration

Add your PYNT_ID as a repository variable or workspace variable in Bitbucket:

  • Go to Repository Settings > Repository Variables

  • Add PYNT_ID:


Example: Running Pynt with Playwright

In this example we are running a Bitbucket pipeline that:

  • Installs playwright dependencies

  • Installs Pynt Binary

  • Runs DVWA as a target for the scan

  • Performs an API security scan with a playwright script, find MySQL vulnerability.

  • Upload results to Pynt dashboard under "dvwa_example" application (application will be created if the running user has Admin role, if the user has "User" role, have an Admin create this application in Pynt dashboard)

ℹ️ Example files can be found here

Here is how the bitbucket-pipelines.yml is configured:

image: mcr.microsoft.com/playwright:v1.44.0-jammy

pipelines:
  default:
    - step:
        name: Run DVWA and Playwright Tests
        services:
          - dvwa
        caches:
          - node
        script:
          - npm install
          - npx playwright install --with-deps
          - echo "Waiting for DVWA to be ready..."
          - until curl -sSf http://localhost:80/login.php > /dev/null; do sleep 3; done
          - echo "DVWA is up!"
          - npm run test
          - export PYNT_ID=$PYNT_ID          
          - wget https://cdn.pynt.io/binary-release/install.sh
          - chmod +x install.sh
          - ./install.sh
          - export RUNNING_FROM_PYNT=true
          - ~/.pynt/bin/pynt command --cmd "npm run test" --application-name dvwa_example

definitions:
  services:
    dvwa:
      image: vulnerables/web-dvwa

Controlling the return code from Pynt

pynt newman and pynt command support an optional flag --severity-level to control CI behavior when findings are detected.

This flag determines when Pynt will return a non-zero exit code and break the pipeline:

Allowed values:
'all', 'medium', 'high', 'critical', 'none' (default)

Example:

pynt command --cmd "node your-playwright-script.js" --severity-level critical

This will break the CI pipeline only if Pynt detects findings of critical severity


💡 Need Help?

For questions or troubleshooting:

  • Visit the Pynt CLI Troubleshooting Guide

  • Ask the community at Pynt Community Support

Last updated