Natalia Chebotareva
25th July, 2023
Safeguard your code with customised Bitbucket merge checks
Security is absolutely crucial when it comes to coding. Find out how to use custom merge checks to protect your code security and quality.
Security is absolutely crucial when it comes to coding. Feels like everyone is just waiting to pounce on any vulnerabilities in software. If a company doesn't make code security its top priority, bad actors might exploit weak points to cause chaos at best and cause harm at worst within our systems. By employing sound coding practices and diligently reviewing for any such weak spots, you can build a safer digital landscape that customers can trust, which protects user information, and mitigates your risk of cyberattacks and data breaches.
This post will help you build a secure space to protect your code. We’ll look at some general best practices for fostering a security-centric development cycle in Bitbucket and some more specific automations and customisations that you can set up using ScriptRunner to help you along the way to improved code stability.
Let’s start with Merge Checks
Pull Requests are an essential part of the code review process. They serve as a means to propose changes and ensure that they undergo careful review and meet specific rules before being merged into the main codebase. Merge Checks, on the other hand, are an enhancement to the pull request process and utilised to prevent the merging of Pull Requests under certain conditions or requirements.
Think of a car trying to join traffic as a pull request. They want to join the main flow of cars. Is it safe to just pull out automatically? Of course not. There are serious risks, collision and disruption if not done carefully, in collaboration with other drivers and adhering to processes. This is why drivers are taught to follow highway codes and why traffic lights were invented. If the pull request is the blinker indicating the driver’s desire to join the main flow of traffic, merge checks are our traffic lights.
Think of them as quality control measures that ensure the code changes are up to standard and won't cause any issues. So, before your code becomes a part of the main codebase, merge checks give it a thorough inspection to keep everything in order and make sure it's good to go
Merge checks can be customised and contextual, allowing teams to define rules and conditions based on their specific development practices and project requirements.
When a pull request is submitted, the merge checks are automatically applied. If any of the checks fail, the pull request is prevented from being merged until the required conditions are met. This ensures that only high-quality, validated code is merged into the main branch, reducing the risk of introducing bugs, regressions, or other issues in the software.
Merge checks are also key for the education of your team: warnings will let them know where they are going wrong to improve the quality of their work in the future.
Some common Bitbucket merge checks
- Minimum number of approvers
- Passing unit tests
- Code style conformity
- No code conflicts
- Adherence to specific coding conventions
- Valid issue references
- Pull request associated with a valid Jira issue
- Prevent merge if there are open tasks
- Prevent merge when the source is based on out-of-date target branch
- Prevent merge to specific target branches
- Prevent merge depending on external systems
Each merge check examines different aspects of the code changes and verifies that they meet the defined criteria. Keep reading to learn more about each one in more detail.
Require a minimum number of approvers
This will help teams ensure code quality by requiring a specified number of reviewers to approve a pull request before it is merged.
This is already available in Bitbucket on a per-repo basis, where you can require that pull requests are reviewed by, say, two reviewers.
To make this check more meaningful or powerful, use ScriptRunner to combine this with the conditions to create an intelligent git workflow.
Let’s say that you need additional diligence when changes inside a specific package or module can affect the product’s performance or stability. For any files that have been changed inside a given path, you can automatically increase the number of reviewers required.
Require approvals from specific people
You can also require approvals from a specific set of people from different groups depending on which part of the code was changed. In this example, if a C++ file was changed, you can block the merge until someone from the "cpp-developers” group approves.
Require approvals from specific people
1import com.atlassian.bitbucket.user.UserService
2import com.atlassian.sal.api.component.ComponentLocator
3
4def userService = ComponentLocator.getComponent(UserService)
5
6pathsMatch('glob:**.cpp') && !mergeRequest.pullRequest.reviewers.findAll {
7it.approved && userService.isUserInGroup(it.user, "cpp-developers")
8}
Set a conditional merge check
This allows users to create custom rules to check changes in Bitbucket repositories before merging. You can specify conditions that must be met before a merge can proceed, helping to prevent potential issues.
For example, you can block a pull request merge if one of the reviewers marks the pull request as needing more work.
Set a conditional merge check
1import com.atlassian.bitbucket.pull.PullRequestParticipantStatus
2
3def reviewers = mergeRequest.pullRequest.reviewers
4reviewers.any { it.status == PullRequestParticipantStatus.NEEDS_WORK }
Or, block unicode bidirectional control characters while still allowing administrators to disable the merge check for legitimate use cases.
Get the script here.
Moreover, you can enforce squashed commits if you want to make your commits list less cluttered, which results in less time to search for commits that introduce a bug, you can enforce that for every pull request, all the commits are squashed into a single commit before merging.
Enforce squashed commits
1import com.atlassian.bitbucket.pull.PullRequestService
2import com.atlassian.sal.api.component.ComponentLocator
3
4def pullRequestService = ComponentLocator.getComponent(PullRequestService)
5def pullRequest = mergeRequest.pullRequest
6return pullRequestService.countCommits(pullRequest.fromRef.repository.id, pullRequest.id)
You can also prevent users from merging into some protected branches by checking the pull request-target in the condition field.
Protected branches
1mergeRequest.pullRequest.toRef.displayId == defaultBranch
Require all comments to be resolved
This enables you to block the merge of a given pull request when it contains unresolved comments so that the comments can be addressed and provides an opportunity to check for any comments that may have been missed.
Enforcing the resolution of comments helps demonstrate compliance with requirements and ensures that all relevant stakeholders have had the opportunity to provide input and address security concerns.
Write a custom Bitbucket merge check
You can also create your own totally custom rules for checking changes before merging into a repository, such as ensuring that changes pass certain tests or conform to specific coding standards.
By having merge checks in place, developers and teams gain a boost of confidence. They know that their code changes are thoroughly reviewed and won't cause any unexpected surprises down the line. It's like having a reliable sidekick who double-checks everything, ensuring your code is fortified against any potential threats.
Not only do merge checks maintain the integrity of your code, but they also strengthen collaboration while prioritising and protecting what matters to your organisation. They ensure everyone follows the same set of security guidelines, making sure that each team member is on board with protecting the codebase.
Setting up these checks lets the entire team work together harmoniously, knowing that their code changes will seamlessly fit with the rest of the project. Nobody careens into rush hour traffic, and everybody’s journey is less stressful as a result!
Not using ScriptRunner for Bitbucket yet?
Start a free trial now via Atlassian Marketplace.