Skip to content

Ostorlab Integration with Bitbucket


In this guide, we will explore how to easily integrate security and privacy testing into your mobile application pipeline builds using the Bitbucket Pipeline.

Video Demonstration

Watch this brief video for a visual walkthrough of the integration process.

Generate an API Key:

The first step is to generate a new API key. In your organisation dashboard, click the menu button.

Click here

Next click "library" to expand.

Click 'Library'

And choose API keys.

Click 'API Keys'

From here, click "New".

Click 'New'

Copy the API key. You can also add a name and an expiry date to your key.

Fill 'Github_action_key'

Don't forget to click the save button to save your key.

Fill 'Github_action_key'

Add the API Key to Bitbucket Variables:

Once you have generated your API key, add it to your Bitbucket variables.

add variable

Update Your Pipeline:

Now, you need to update your Bitbucket pipeline to include an Ostorlab step for triggering the security scan. This is a sample configuration that performs a fast scan on an Android APK and fails the pipeline for vulnerabilities with a high severity rating.

Add step

- step:
            name: Ostorlab Security Scan
              - pip
              - pip install ostorlab[cli]
              - export SCAN_TITLE="Test Bitbucket CI workflow"
              - export SCAN_PROFILE='fast_scan'
              - export BREAK_ON_RISK_RATING="HIGH"
              - export MAX_WAIT_MINUTES=15
              - export TARGET="oxo_insecure.apk"
              - export ASSET_TYPE="android-apk"
              - export EXTRA="--test-credentials-login test_login --test-credentials-password test_pass"
              - ostorlab --api-key="$OSTORLAB_API_KEY" ci-scan run  --title="$SCAN_TITLE" --scan-profile="$SCAN_PROFILE"  --break-on-risk-rating="$BREAK_ON_RISK_RATING" --max-wait-minutes="$MAX_WAIT_MINUTES" $EXTRA $ASSET_TYPE

Let's explore each line in this configuration:

First, we will need to install the ostorlab package and its command-line interface components using pip.

Add step

Next, create a variable to store the API key. Ensure that the variable's name matches the one added to your repository as a secret or environment variable.

Add step

Add a title variable for your scan.

Add step

Add another variable for the scan profile. Choose between Fast Scan for rapid static analysis or Full Scan for a comprehensive analysis, including static, dynamic, and backend.

Add step

Then, a variable to Defines the maximum time the build should wait (in minutes) to finish security analysis.

Add step

Add a target variable to specify the path to your application.

Add step

Define the asset type as either Android or iOS. In my case, I am choosing Android as I intend to scan an Android app.

Add step

The extra parameter enables you to provide your Lock files for enhanced scan analysis.

Extra params

The following list outlines the supported SBOM/Lock files:

Additionally, it allows you to supply either simple credentials or custom credentials to enable authenticated testing.

Extra params

Finally, execute the Ostorlab command as follows:

Extra params

After updating the pipeline, check the progress here.

Check progress

Check the pipeline logs for details, retrieve the scan ID, and monitor your scan within your organization account on Ostorlab.

Monitor scan

For example, this is the report for the current scan.

Scan report


This guide covers the steps required to effectively and easily integrate Ostorlab autonomous security testing for Android and iOS mobile apps into your Bitbucket Pipeline.