Skip to content
Latchkey

How to Run a Dependency Security Scan in Bitbucket Pipelines

Scan dependencies in Bitbucket Pipelines with the Snyk pipe for SCA, or a zero-dependency npm audit step.

Use the Snyk pipe for richer scanning and fix advice, or run npm audit directly when a lightweight gate that fails on high-severity advisories is enough.

Snyk pipe with a threshold

The pipe scans and fails the step when issues meet the severity threshold; npm audit is a no-pipe fallback.

bitbucket-pipelines.yml
pipelines:
  default:
    - step:
        name: Security scan
        image: node:20
        script:
          - npm ci
          - pipe: snyk/snyk-scan:1.0.0
            variables:
              SNYK_TOKEN: $SNYK_TOKEN
              SEVERITY_THRESHOLD: 'high'
          - npm audit --audit-level=high

Gotchas

  • Set SNYK_TOKEN as a secured variable; the Snyk pipe needs it to authenticate.
  • Set SEVERITY_THRESHOLD so low-severity advisories do not fail every build.
  • Pin the pipe to a version tag (snyk/snyk-scan:1.0.0) rather than latest for reproducible builds.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →