# Source Scan The Source Scan, scans both public and private repositories from the Git and Bitbucket. The scanning process includes SAST (Static Application Security Testing), code license verification, secret detection, and component analysis. By integrating OpsMx Delivery Shield with your Bitbucket repository, you gain continuous, automated source code scanning that enhances the security of your software delivery pipeline. Regular scans, detailed reporting, and advanced features like CI/CD integration ensure that your software is built with security in mind from the very beginning. This page explains the process of Source Scan for **Bitbucket** repository. * Before starting with the scan, you need to integrate Bitbucket with the OpsMx platform. Follow the steps provided in [Integrating BitBucket](https://docs.opsmx.com/opsmx-delivery-shield-platform/getting-started/integrating-ci-and-cd-tools-in-delivery-shield/bitbucket) to complete the process. * Once the Bitbucket integrator is connected to OpsMx you can start with the source scan. ### To Access Source Scan * Click on **Scan Now** button at the top right corner of the screen.

* In the screen that appears, select **Source Scan** from the left panel.

Now you can **Add Project, Upload Project** or **Sync Project** to proceed with the scan. ### To Add a Project * To add or update a new project with source scan configurations, for scanning, click **Add Project**. * The **Create Project** details page is displayed as shown below. Enter the details for the following fields:

* **Name** : Enter a name for the project. * **Team** : Select the team for which you want to create the project. * **Scan Type** : The default type is Source Scan. * **Platform** : Select the platform type, the platform where the code resides (Github, Gitlab Server, Bitbucket, Bitbucket Server, Azure, Azure Server) for the project. * **Account** : Choose the needed account that has been integrated for the selected platform. If no account is available for the selected platform then click **Add Account**. * The integration page is displayed. You can add a new account. * **Organization / Workspace** : Choose the organization or workspace that the selected account has access to. * **Scan Level** : Select the scan level; either organization level or repository level that needs to be scanned. * **Configuration** : Set the configuration details, and schedule the auto scan time. * Repo /Project : Select the repo or project name for which the scan needs to be executed. * Branch : Select the branch name for which the scan needs to be executed. * Branch Pattern : Select the branch pattern for which the scan needs to be executed. * Scan Upto : Select the branch limit for which the scan needs to be executed. (number of branches to be scanned) * Schedule Auto Scan : Select the time range during which the scan needs to be rerun automatically. * Click Save. The project gets added for scanning. ### To Upload a Project * To upload a project from your local, for scanning, click **Upload Project**.

* Click **Upload File** and select the json file that you want to add for scanning.

* Click **Save**.

The file gets added for scanning. ### To Integrate JIRA at Project Level JIRA can be integrated at project level to create tickets whenever an alert is identified. * To integrate JIRA, click the Integrations icon on expanding the project.

* The JIRA integration page is displayed. Click **Add Account** and enter the details.

* Enter the values for the following fields: * **Account Name -** Enter the JIRA account name. * **Jira Project Key -** Enter the name of your Jira project. * **Jira** **URL -** Enter your Jira host Url * **Jira Email Id -** Enter the username to access Jira. * **Token -** Enter the password / token for the Jira account. * Enable **Automatically create Jira tickets during the scan** to create JIRA ticket to the team owner when the alerts are identified. * **Trigger Type** - Indicates at which level Jira tickets should be created. * **Create Jira ticket at the Component Alert level** - Jira tickets will be created for each individual impacted component. * **Create Jira ticket at the Deduplication Alert level** - A single Jira ticket will be created for all the impacted components. * **Creation Scope** - If Vulnerabilities is selected, Jira is created only for Critical and High alerts. If All Policies is selected Jira is created for all alerts. * Enable **Assign the Jira ticket to the Team owner** if you want to assign the ticket to the team owner. * **Fields -** Enter the labels that need to be added in the created Jira ticket. * **Values -** Enter the values that need to be given in the Jira ticket. The given variables are replaced with actual values when the tickets are created. * **Status Keyword Mapping** - You can set the keywords for the status. * Click **Test** to check if the entered values are valid. * Once validated, click **Save**. The tool is connected. ### To View AI-Based Remediation Details AI Remediation is integrated in the Scan Now option. 1. Expand the project for which you want to view the remediation details. 2. Click **Open Issues** to view the list of alerts.

3. From the alerts list, select the required alert.

4. Navigate to the **Impacted Components** section and click on it. 5. In the list of applications, identify the relevant application and click **Remediate**.

The AI Remediation window is displayed. It analyzes the selected alert and provides a detailed summary of the issue, recommended remediation steps and possible workarounds.

{% hint style="info" %} AI Remediation is supported only for repositories hosted on GitHub Cloud. Remediation is performed only when the source details of the associated artifacts or projects are available. {% endhint %} ### To Sync Project To Sync a project, for scanning, you can either sync it from Argo GitHub repository to SSD or add the project details in code format. #### Syncing Projects from Argo Github Repository In a regular working instance of SSD with argo setup, create config map with name adhoc-project-cm and sync it with argo github repository. The YAML file name should be project.yaml. The below example is a sample file that can be synced using argo. When synced this will create a config map with name adhoc-project-cm with project.yaml file containing one sample project ``` apiVersion: v1 kind: ConfigMap metadata: name: adhoc-project-cm data: project.yaml: | - name: bitbucket-ws1 scanType: sourceScan platform: bitbucket accountName: bitbucket teamName: default scanLevel: repoLevel organisation: OpsMx type: organisation projectConfigs: - repository: docker-swarm scheduleTime: 0 branch: - main branchPattern: '' scanUpto: 1 - repository: issue-generator scheduleTime: 0 branch: - fixes - grype - main branchPattern: '' scanUpto: 3 ``` The following account names must be given by the user. * Org level integrator account name: “dev” * Team level integrator account name: "dev (\)", * Env level integrator account name: "dev (\) \[\]", ``` kubectl apply -f project.yaml -n ``` #### Syncing Projects in Code Format To Sync projects in code format add the project details int he given format below: ``` [ { "name": "bitbucket-ws", "scanType": "sourceScan", "platform": "bitbucket", "accountName": "bitbucket", "teamName": "default", "scanLevel": "repoLevel", "organisation": "OpsMx", "type": "organisation", "projectConfigs": [ { "repository": "docker-swarm", "scheduleTime": 0, "branch": [ "main" ], "branchPattern": "", "scanUpto": 1 }, { "repository": "issue-generator", "scheduleTime": 0, "branch": [ "fixes", "grype", "main" ], "branchPattern": "", "scanUpto": 3 } ] } ] ``` ### To View and Interpret Scan Results Once the scan is complete, OpsMx generates the overall results and they are displayed as shown below:
* Repos Registered * Total Branches * Total Scans * Total Projects * Auto Scan Enabled Repos

The panel at the bottom displays the project details. On expanding each project you can view the complete details of it. {% hint style="info" %} The current status of the scan (completed, pending or failed) is displayed to notify the status of the project. {% endhint %} * To edit the configuration details of the project, click the **Edit Configuration** button. * Click the **View** option in the **Action** button, to view the SAST and SCA scan results of the project.

* The results page displays the complete data of the scan details. * On clicking the **Download** button, the scan results are downloaded in .json or .csv format. * On clicking Report, the scan results are downloaded in a report format. * On clicking Go to Artifact Page, you are redirected to the related artifact page.

### Best Practices To get the most out of OpsMx Delivery Shield Source Scan, consider following these best practices: * **Frequent Scanning**: Run the scans regularly (e.g., after each commit or weekly) to detect the vulnerabilities early. * **CI/CD Pipeline Integration**: Incorporate source scanning into your continuous integration/continuous deployment pipeline to identify the issues before they go live. * **Alerts and Notifications**: Set up alerts to notify your team when critical vulnerabilities are detected, to address them promptly. * **Fixing Issues in Advance**: Address vulnerabilities as soon as they are found to prevent issues from piling up. ### Troubleshooting If you encounter any issues during or after the scan, check the following: * Connection Issues with Bitbucket: * Ensure that the correct authentication methods (OAuth, API tokens, SSH) are set up properly. * Verify that the OpsMx account has the necessary permissions to access the Bitbucket repository. * Check for bitbucket url whitelisting in supplychain api configmap
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.opsmx.com/ssd/security-risk-and-prioritization/user-guide/scan-now/source-scan.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.