Skip to content

Bitrise Integration Guide

Easily integrate Ostorlab automated security scanning for Android mobile applications into your Bitrise CI pipeline.

Generate an Ostorlab API key

  1. Go to the API keys menu
  2. Click the New button to generate a new key
  3. Copy the API key (You can add a name and an expiry date to your key)
  4. Click the Save button to save your key

API Key creation

Add the API key as a Bitrise Secret

  1. Open your Bitrise project
  2. Go to Workflow Editor
  3. Navigate to Secrets

  4. Add a new secret:

  5. Save the secret.

Add Bitrise secret

Add Environment Variables

You may configure additional parameters for the scan.

Environment variables

Add a Bitrise Workflow Stage

  1. Go to Workflow Editor
  2. Select the workflow where you want to run the scan (for example, `primary`)
  3. Click Add Step
  4. Search for Script
  5. Select the Script step to add it to the workflow

Add Script Step

Configure the Script Step

  1. In the Script Step, choose Custom Script
  2. Paste the script from the next section into the Script content field
  3. Save the workflow

Configure Script Step

Add the Ostorlab Script

Add the following bash script in the Script Step:

#!/bin/bash
set -e

python3 -m pip install --upgrade pip
pip install ostorlab

ostorlab \
  --api-key="$API_KEY" \
  ci-scan run \
  --title="$Scan_Title" \
  --scan-profile="$SCAN_PROFILE" \
  android-apk "$BITRISE_APK_PATH"

Additional options

The following is the full list of options for the `ostorlab ci-scan run` command: 

ostorlab --api-key <API_KEY> ci-scan run --option <asset-type> <target>

  • --api-key: Ostorlab generated API key.

  • --title: Scan title

  • --scan-profile: Type of the scan. Possible options are:

    1. `fast`: Only runs the static analysis;
    2. `full`: Runs static, dynamic, and backend analysis.

  • Test credentials: Automatic authentication in the dynamic analysis full scan:

    • --test-credentials-login: Username to be used in log-in fields;
    • --test-credentials-password: Password to be used in password fields;
    • --test-credentials-role: Optional role field;
    • Custom/Generic test credentials:
      • --test-credentials-name: Custom name of the field;
      • --test-credentials-value: Custom value of the field

  • --sbom: Path to the sbom file. The sbom file should also be mounted as specified in step 3.

  • --ui-prompt-name: Name of the UI prompt to be passed to Ostorlab CLI.

  • --ui-prompt-action: Action of the UI prompt to be passed to Ostorlab CLI. UI prompts are a powerful feature that allows you to use natural language to tell the scanner how to navigate the app. You can add multiple prompts by adding the arguments multiple times, for example: ```shell --ui-prompt-name accept-terms --ui-prompt-action "Scroll down and tap the 'Accept Terms' checkbox." --ui-prompt-name submit --ui-prompt-action "Tap the 'Submit' button to complete the login process." ```

  • --ui-prompt-id: List of existing UI prompt IDs to be passed to Ostorlab CLI. This allows you to reuse previously defined UI prompt flows by their IDs. You can add multiple prompt IDs by adding the argument multiple times, for example: ```shell --ui-prompt-id 123 --ui-prompt-id 456 ```

  • asset-type: Type of the asset to scan. Possible values:

    • `android-aab`: Scan an android `.AAB` package file;
    • `android-apk`: Scan an android `.APK` package file;
    • `ios-ipa`: Scan an iOS `.IPA` package file;

  • target: Path to the target application. The Application should be mounted as specified in step 3.