How to Run a Dependency Security Scan in Bitbucket Pipelines
Scan dependencies in Bitbucket Pipelines with the Snyk pipe for SCA, or a zero-dependency npm audit step.
Use the Snyk pipe for richer scanning and fix advice, or run npm audit directly when a lightweight gate that fails on high-severity advisories is enough.
Snyk pipe with a threshold
The pipe scans and fails the step when issues meet the severity threshold; npm audit is a no-pipe fallback.
bitbucket-pipelines.yml
pipelines:
default:
- step:
name: Security scan
image: node:20
script:
- npm ci
- pipe: snyk/snyk-scan:1.0.0
variables:
SNYK_TOKEN: $SNYK_TOKEN
SEVERITY_THRESHOLD: 'high'
- npm audit --audit-level=highGotchas
- Set
SNYK_TOKENas a secured variable; the Snyk pipe needs it to authenticate. - Set
SEVERITY_THRESHOLDso low-severity advisories do not fail every build. - Pin the pipe to a version tag (
snyk/snyk-scan:1.0.0) rather thanlatestfor reproducible builds.
Related guides
How to Run a Security Scan (CodeQL + Dependencies) in GitHub ActionsRun a SAST and dependency security scan in GitHub Actions with CodeQL and a dependency audit, uploading SARIF…
How to Run a Dependency Security Scan in CircleCIRun a dependency and SAST security scan in CircleCI with the Snyk orb or a plain npm audit step, failing the…