Ostorlab Integration with Azure DevOps

Overview

Welcome to the comprehensive guide on integrating Ostorlab with Azure DevOps, enhancing security and privacy testing in your mobile application pipeline builds. Follow these step-by-step instructions to seamlessly incorporate Ostorlab into your development workflow.

Video Demonstration

Watch this brief video for a visual walkthrough of the integration process.

API Key Generation

To begin, generate a new API key in your organization dashboard. Follow these steps:

Click the menu button.

Step 1

Expand the "Library" section.

Step 2

Choose "API Keys".

Step 3

Click "New".

Step 4

Copy the API key. Optionally, add a name and an expiry date.

Step 5

Save the key.

Step 6

Extension Installation

Now, let's install the Ostorlab extension from the Azure DevOps Marketplace.

Search for "Ostorlab" in the Marketplace.

Step 7

Open the extension page.

Step 8

Click "Get it free".

Step 9

Install the extension.

Step 10

Confirmation of successful installation.

Step 11

Pipeline Configuration

Proceed with the configuration of your Azure DevOps pipeline.

Open your pipeline and click on "Show Assistant".

Step 12

Search for the Ostorlab extension.

Step 13

Enter the generated API key.

Step 14

Add the file path to your application.

Step 15

Select the platform (Android or iOS).

Step 16

Access Advanced Configuration for optional settings.

Optional Settings

Scan Profile: Choose between Fast Scan for rapid static analysis or Full Scan for a comprehensive analysis.

Optional Settings

Scan Title: Define a title for the scan.

Optional Settings

Max Wait Time: Set the maximum time for the build to wait (in minutes).

Optional Settings

Risk Threshold: Set the risk level for build failure.

Optional Settings

Extra Parameters: Provide SBOM/Lock files for enhanced scan analysis or supply credentials for authenticated testing.

Extra Parameters

The following list outlines the supported SBOM/Lock files:
    SPDX
    CycloneDX
    gradle.lockfile
    pubspec.lock
    buildscript-gradle.lockfile
    pnpm-lock.yaml
    package-lock.json
    packages.lock.json
    pom.xml
    Gemfile.lock
    yarn.lock
    Cargo.lock
    composer.lock
    conan.lock
    mix.lock
    go.mod
    requirements.txt
    Pipfile.lock
    poetry.lock

Click "Add" to include the Ostorlab-Azure-Security-Scanner in your pipeline.

Step 23

Review task details within the pipeline.

Step 24

Save and run your pipeline.

Step 25

Check pipeline logs for details, retrieve the scan ID, and monitor your scan within your organization account on Ostorlab.

Step 26

For example, this is the report for the current scan

Scan Result

Conclusion

This guide has covered the necessary steps for seamlessly integrating Ostorlab into your Azure DevOps pipeline builds. With this extension, you can conduct comprehensive static, dynamic, and backend scans for your application.