Version Control Integration
Overview
Version control integrations connect Bastion to your code repositories. Enable dependency scanning, SBOM generation, and code security monitoring.
Supported Platforms
GitHub
GitHub Cloud and Enterprise
GitLab
GitLab SaaS and Self-Managed
Azure DevOps
Azure Repos and Pipelines
Bitbucket
Bitbucket Cloud and Data Center
Benefits
| Feature | Benefit |
|---|---|
| SBOM Generation | Software bill of materials |
| Dependency Scanning | Find vulnerable packages |
| Secret Detection | Identify exposed secrets |
| Code Analysis | Security code review |
GitHub
Prerequisites
- GitHub organization admin
- GitHub App installation permissions
Setup Steps
Install GitHub App
Install the Bastion - Compliance GitHub App in your organization. You will be redirected to GitHub to authorize the installation.
Select Organization
Choose your company's GitHub organization during the installation flow.
Select Repositories
Choose which repositories to monitor — all or specific repos.
Initial Scan
Bastion scans selected repositories for dependencies, secrets, and configurations.
GitHub App Permissions
| Permission | Purpose |
|---|---|
| Administration: Read | Compliance process and offboarding |
| Members: Read | Member management and user access reviews |
| Metadata: Read | Repository information |
| Code: Read | Code security analysis |
Monitored Checks
| Check | Description |
|---|---|
| Branch Protection | Verify branch protection rules |
| Dependabot Alerts | Track vulnerability alerts |
| Code Reviews | Verify review requirements |
| Teams | Team and access configuration |
GitLab
Prerequisites
- GitLab top-level group access (subgroups are not supported)
- Group admin or owner role
Setup Steps
Select Group
Navigate to your GitLab groups and select the top-level group to connect. Note the group ID from group settings.
Authorize Bastion
Install the Bastion Technologies OAuth application. You will be redirected to GitLab to authorize access.
Grant Permissions
Approve the requested read-only scopes.
Initial Scan
Bastion scans projects in the group.
Required Scopes
| Scope | Purpose |
|---|---|
read_user | List group members for user access reviews |
read_repository | Monitor branch protection and code review settings |
read_api | Access GitLab API for compliance checks |
read_registry | Verify container registry configurations |
read_observability | Check monitoring and alerting settings |
Only top-level groups are supported. Subgroups cannot be connected directly due to GitLab API restrictions.
Azure DevOps
Prerequisites
- Azure DevOps organization admin
- Access to Microsoft Entra (Azure AD)
- Azure subscription
Setup Steps
Register Application
In Microsoft Entra, register a new application named Bastion Compliance App - Azure DevOps. Select Accounts in this organizational directory only.
Create Client Secret
In the app's Certificates & secrets section, create a secret with 24-month expiration. Copy the value immediately.
Assign Subscription Reader Role
Go to your subscription's Access control (IAM) and assign the Reader role to the application.
Add to Azure DevOps Organization
In Azure DevOps Organization Settings > Users, add the application as a user with Basic access level and Project Reader role.
Connect in Bastion
Enter the Organization Name, Tenant ID, Client ID, Client Secret, and Subscription ID.
Required Credentials
| Field | Description |
|---|---|
| Organization Name | Azure DevOps organization name |
| Tenant ID | Entra Directory (tenant) ID |
| Client ID | Application (client) ID |
| Client Secret | Application secret value |
| Subscription ID | Azure subscription ID |
Required Roles
| Role | Scope | Purpose |
|---|---|---|
| Reader | Azure subscription | Read-only access to infrastructure |
| Project Reader | Azure DevOps organization | Read-only access to repos and pipelines |
The client secret expires after the configured duration. The integration will disconnect when the secret expires — set a reminder to rotate it before expiration.
Bitbucket
Prerequisites
- Bitbucket workspace admin
Setup Steps
Select Workspace
Navigate to your Bitbucket workspaces and note the workspace ID for the workspace to connect.
Authorize Bastion
Install the Bastion Technologies OAuth application. You will be redirected to Bitbucket to authorize access.
Grant Permissions
Approve the requested read-only permissions.
Initial Scan
Bastion scans repositories in the workspace.
Required Permissions
| Permission | Purpose |
|---|---|
| Account: Read | Authenticate and identify the connected user |
| Workspace Membership: Read | List workspace members for user access reviews |
| Projects: Read | Access project configurations and settings |
| Repositories: Read | Monitor repositories and their configurations |
| Pull Requests: Read | Verify code review and approval requirements |
| Pipelines: Read | Check CI/CD configurations |
Due to Bitbucket Cloud API limitations, some checks related to branch protection rules and merge requirements may not return complete data.
Features
SBOM Generation
Generate Software Bill of Materials:
- All direct dependencies
- Transitive dependencies
- Versions and licenses
- Standard formats (SPDX, CycloneDX)
Dependency Scanning
Continuous vulnerability detection:
| Ecosystem | Support |
|---|---|
| npm/yarn | Full |
| pip/poetry | Full |
| Maven/Gradle | Full |
| Go modules | Full |
| Cargo | Full |
| NuGet | Full |
Scanning Process
Detect Manifests
Find package.json, requirements.txt, etc.
Resolve Dependencies
Build complete dependency tree.
Check Vulnerabilities
Query CVE databases.
Report
Generate findings and recommendations.
Secret Detection
Find exposed secrets:
- API keys
- Passwords
- Private keys
- Access tokens
- Connection strings
Scan Triggers
When Scans Run
| Trigger | Description |
|---|---|
| Push | On code push (webhook) |
| Schedule | Daily scheduled scan |
| Manual | On-demand scan |
| PR | Pull request scanning |
Webhook Configuration
Enable real-time scanning:
- Go to integration settings
- Enable webhooks
- Bastion configures automatically
- Scans trigger on push
Results
Viewing Results
Results appear in Code Security module:
- Vulnerabilities by severity
- Dependencies with issues
- SBOM inventory
- License compliance
Issue Details
For each vulnerability:
- CVE ID and description
- Affected package and version
- Fixed version (if available)
- Remediation steps
- CVSS score
Pull Request Integration
Auto-Fix PRs
Bastion can create fix PRs:
- Enable auto-PR in settings
- Vulnerability detected
- If fix available, PR created
- Review and merge
PR Comments
Add vulnerability info to PRs:
- New vulnerabilities introduced
- Existing vulnerabilities
- Recommendations
Branch Protection
Scanning in CI/CD
Add Bastion to CI/CD:
- GitHub Actions
- GitLab CI
- Azure Pipelines
- Bitbucket Pipelines
- Custom pipelines
Status Checks
Block merges with vulnerabilities:
- Enable status checks
- Configure severity threshold
- PRs blocked until resolved
Troubleshooting
Repos Not Appearing
- Verify installation scope
- Check permissions granted
- Review organization settings
Scans Not Running
- Check webhook configuration
- Verify token permissions
- Review scan logs
Missing Dependencies
- Ensure lock files are present
- Check manifest file locations
- Verify ecosystem support
Best Practices
Include All Repos
Scan all repositories, including internal tools and scripts.
Enable Webhooks
Real-time scanning catches issues faster than scheduled scans.
Use Lock Files
Commit lock files for accurate transitive dependency tracking.
Act on Findings
Regularly review and remediate discovered vulnerabilities.