1. Support Center
  2. Crashtest Security Integrations

Versioning Systems Integrations

Your versioning system is the memory of your DevOps process. Read here how you can easily integrate the Crashtest Security Suite Scans.


In the past, versioning systems were used to store and manage different development branches. Nowadays, versioning systems are also evolving to include continuous delivery features.

Therefore, this article shows you how to integrate your versioning tool (such as Bitbucket, GitHub, or GitLab) with our security scans. But before that, we want to discuss best practices in code versioning.

Code Versioning Best Practices

For a great article on "A successful git branching model," please check out this link. Below is the visual representation from Vincent Driessen:

Git branching model from Vincent Driessen

To expand the mentioned concepts in DevSecOps, we recommend that development teams start security scans for every release (when creating pull requests).

Before we dive into the setup for specific tools, let's look at the used webhook functionality.

Webhook Functionality

The following script will start the scan for your project and periodically poll the status of the scan. When the scan is finished, the report will be downloaded to the file report.xml.

#!/usr/bin/env sh

# TODO: Set WEBHOOK to webhook ID (without URL)


# Start Scan and get scan ID
SCAN_ID=`curl --silent -X POST --data "" $API_ENDPOINT/$WEBHOOK | jq .data.scanId`
echo "Started Scan for Webhook $WEBHOOK. Scan ID is $SCAN_ID."

# Refresh Scan status
while [[ $STATUS -le "101" ]]
   echo "Scan Status currently is $STATUS (101 = Running)"

   # Only poll every minute
   sleep 60

    # Refresh status
   STATUS=`curl --silent $API_ENDPOINT/$WEBHOOK/scans/$SCAN_ID/status | jq .data.status.code`


echo "Scan finished with status $STATUS."

# Download Report
curl --silent $API_ENDPOINT/$WEBHOOK/scans/$SCAN_ID/report/junit -o report.xml
echo "Downloaded Report to report.xml"

Please see this article for other webhook functionalities (i.e., configuring authentication). 

So, how can you apply that to your existing versioning systems?


Bitbucket is a code versioning tool sold by Atlassian.

It also offers pipelines to enable the continuous delivery of software projects. Please have a look at the Bitbucket documentation on how to trigger webhooks. Below you see a straightforward example of a pipeline. You can use the script described in the webhook section to call the Crashtest Security webhook and enter it below the "script" line. 

- step:
- echo 'I made a pipeline!'

If you need any help scripting your specific pipeline, please contact us


GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager providing wiki, issue-tracking, and CI/CD pipeline features, using an open-source license developed by GitLab Inc.

GitLab also offers GitLab CI to enable continuous integration and deployment of software projects. Please look at the GitLab documentation on how to configure pipelines (or check out their examples).

You can use the script described in the webhook section to call the Crashtest Security webhook. 

If you need any help scripting your specific pipeline, please contact us


GitHub is one of the most well-known and widely adopted versioning tools.

GitHub currently offers a closed beta for its native continuous delivery capability (GitHub Actions). However, as the functionality might be limited in the first release, some articles suggest using the more powerful CI/CD toolchains, such as Jenkins or Circle CI, for more script-intensive tasks.

If you are using GitHub and want to automatically start a scan for every pull request, reach out to us - so we can support you with the implementation depending on what other tools you are using. 

For more information about Crashtest Security, visit crashtest-security.com.