diff --git a/bitbucket-pipelines.yml b/bitbucket-pipelines.yml
new file mode 100644
index 00000000..ded99e9e
--- /dev/null
+++ b/bitbucket-pipelines.yml
@@ -0,0 +1,78 @@
+# this test is based on the docker image described in env/bitbucket/Dockerfile
+image: iterativ/vbv-lernwelt-bitbucket
+pipelines:
+  default:
+    - parallel:
+        - step:
+            name: python tests
+            max-time: 15
+            services:
+              - postgres
+            caches:
+              - pip
+              - cypress
+            script:
+              - source ./env/bitbucket/prepare_for_test.sh
+              - pip3 install -r server/requirements/requirements-dev.txt
+              - git-crypt status -e | sort > git-crypt-encrypted-files-check.txt && diff git-crypt-encrypted-files.txt git-crypt-encrypted-files-check.txt
+              - trufflehog --exclude_paths trufflehog-exclude-patterns.txt --allow trufflehog-allow.json --entropy=True --max_depth=100 .
+#              - ./src/run_pylint.sh
+#              - ./src/run_unittests_coverage.sh
+        - step:
+            name: cypress tests
+            max-time: 45
+            services:
+              - postgres
+            artifacts:
+              - cypress/**/*.png
+              - cypress/**/*.mp4
+            caches:
+              - node
+              - pip
+              - cypress
+            script:
+              - source ./env/bitbucket/prepare_for_test.sh
+              - pip3 install -r server/requirements/requirements-dev.txt
+#              - npm install
+#              - export SWISSCOM_CUSTOMER_LOGIN_BASE_URL='http://localhost:8001/apiclient/fakeswisscomapi/login'
+#              - npm run build
+#              - ./run_jshint.sh
+#              # - npm test
+#              - (cd landingpage && npm install && echo "{}" > ./src/translations/translations.json && npm run build)
+#              - ./prepare_server_cypress.sh --start-background
+#              - npm run cypress:ci
+  tags:
+    v202*:
+      - step:
+          name: Hello world
+          script:
+            - echo "Release ready!"
+      - step:
+          name: Deploy to PROD
+          deployment: prod
+          trigger: manual
+          script:
+            - ./deploy.sh --commit "$BITBUCKET_COMMIT" --token "$DEPLOY_TOKEN" --url https://myservicecrm.swisscom.ch/deploy-iesc-bKVAkQguPDVi
+  custom:
+    deploy-preprod:
+      - step:
+          name: Deploy to PREPROD
+          deployment: preprod
+          script:
+            - ./deploy.sh --commit "$BITBUCKET_COMMIT" --token "$DEPLOY_TOKEN" --url https://preprod.myservicecrm.ch/deploy-iesc-bKVAkQguPDVi
+    deploy-api:
+      - step:
+          name: Deploy to API
+          deployment: api
+          script:
+            - ./deploy.sh --commit "$BITBUCKET_COMMIT" --token "$DEPLOY_TOKEN" --url https://api.myservicecrm.ch/deploy-iesc-bKVAkQguPDVi
+
+definitions:
+  caches:
+    cypress: /root/.cache/Cypress
+  services:
+    postgres:
+      image: postgres
+      memory: 512
+      variables:
+        POSTGRES_HOST_AUTH_METHOD: trust
diff --git a/git-crypt-encrypted-files.txt b/git-crypt-encrypted-files.txt
new file mode 100644
index 00000000..279b8b0e
--- /dev/null
+++ b/git-crypt-encrypted-files.txt
@@ -0,0 +1,2 @@
+    encrypted: env_secrets/caprover.env
+    encrypted: env_secrets/production.env
diff --git a/server/requirements/requirements-dev.in b/server/requirements/requirements-dev.in
index 44b44442..fccb5037 100644
--- a/server/requirements/requirements-dev.in
+++ b/server/requirements/requirements-dev.in
@@ -32,3 +32,6 @@ django-debug-toolbar  # https://github.com/jazzband/django-debug-toolbar
 django-extensions  # https://github.com/django-extensions/django-extensions
 django-coverage-plugin  # https://github.com/nedbat/django_coverage_plugin
 pytest-django  # https://github.com/pytest-dev/pytest-django
+
+# code checking
+truffleHog
diff --git a/server/requirements/requirements-dev.txt b/server/requirements/requirements-dev.txt
index a0f2e232..59276d67 100644
--- a/server/requirements/requirements-dev.txt
+++ b/server/requirements/requirements-dev.txt
@@ -117,6 +117,12 @@ flake8==4.0.1
     #   flake8-isort
 flake8-isort==4.1.1
     # via -r requirements-dev.in
+gitdb==4.0.9
+    # via gitdb2
+gitdb2==4.0.2
+    # via gitpython
+gitpython==3.0.6
+    # via trufflehog
 gunicorn==20.1.0
     # via -r requirements.in
 h11==0.13.0
@@ -277,6 +283,8 @@ six==1.16.0
     #   django-coverage-plugin
     #   python-dateutil
     #   virtualenv
+smmap==5.0.0
+    # via gitdb
 sqlparse==0.4.2
     # via
     #   django
@@ -307,6 +315,10 @@ traitlets==5.1.1
     # via
     #   ipython
     #   matplotlib-inline
+trufflehog==2.2.1
+    # via -r requirements-dev.in
+trufflehogregexes==0.0.7
+    # via trufflehog
 types-pytz==2021.3.4
     # via django-stubs
 types-pyyaml==6.0.4
diff --git a/trufflehog-allow.json b/trufflehog-allow.json
new file mode 100644
index 00000000..1ed3af8f
--- /dev/null
+++ b/trufflehog-allow.json
@@ -0,0 +1,8 @@
+{
+  "ignore hash 1": "J9FiYN31FuY7lHrmx9Mpai3GGpTVCxakEclOfCLretDe7bTf2DtTsgazJ0aIMtbq",
+  "ignore hash 2": "GQGU0fMMi238uA+a/bdWJfpUGKUkBdgfFdgBm72SUQ6BeyWjoY/ton0tEjH+OSH9iP4Dfh+7HM0I9f5eR0L/4w",
+  "ignore hash 3": "OvBgP9A2JBgiRad/mM36mkzXSXaJE9BEIENnVEmeZdITvwT09xnxLtT4twkCa8m/loMbPHsvPl0T8lRGVBwjlQ==",
+  "ignore hash 4": "1NpUCSvAKLpDZL9e3tqDaUe8Kk2xAuF1tXosFjBanc4lFCgNcfBp02MD3UjB72ZS",
+  "json base64 content": "regex:\"content\": \"",
+  "img base64 content": "regex:data:image/png;base64,.*"
+}
diff --git a/trufflehog-exclude-patterns.txt b/trufflehog-exclude-patterns.txt
new file mode 100644
index 00000000..195e619b
--- /dev/null
+++ b/trufflehog-exclude-patterns.txt
@@ -0,0 +1,4 @@
+server/requirements/
+env_secrets/
+env/docker_local.env
+.envs/