Skip to content

Ostorlab Integration with CircleCI

Overview

This guide explains how to seamlessly integrate security and privacy testing into your mobile application pipeline builds using CircleCI.

Video Demonstration

Watch this brief video for a visual walkthrough of the integration process.

Generate an API Key

The first step is to generate a new API key. In your organization dashboard, click the menu button.

Click menu button

Next, click "Library" to expand.

Click 'Library'

Then, choose "API Keys".

Click 'API Keys'

From here, click "New".

Click 'New'

Copy the API key. You can also add a name and an expiry date to your key.

Fill 'API key details'

Don't forget to click the save button to save your key.

Save API key

Update Your CircleCI Pipeline

Now, update your CircleCI pipeline to include an Ostorlab step for triggering the security scan.

Edit CircleCI config

Search for the Ostorlab orb:

Search Ostorlab orb Select Ostorlab orb Confirm Ostorlab orb

Define the asset type as either Android or iOS. In this example, we are choosing Android to scan an Android app.

Select asset type

Enter the generated API key.

Enter API key

Add the scan profile. Choose between Fast Scan for rapid static analysis or Full Scan for comprehensive analysis, including static, dynamic, and backend scans.

Select scan profile

Provide the path to the APK or IPA file.

Provide APK path

By default, the action will not fail based on the risk rating. It will just create a scan in the Ostorlab platform. If you set this value to HIGH, the action will fail if the scan risk rating is equal to or higher than this value.

Set risk rating

By default, the action will wait for 2 hours for the scan results before failing with a timeout error. You can change this value to any number of minutes.

Set timeout

The extra parameter enables you to provide your Lock files for enhanced scan analysis. Additionally, it allows you to supply either simple credentials or custom credentials to enable authenticated testing.

Provide extra parameters

Supported SBOM/Lock Files

  • SPDX
  • CycloneDX
  • gradle.lockfile
  • pubspec.lock
  • buildscript-gradle.lockfile
  • pnpm-lock.yaml
  • package-lock.json
  • packages.lock.json
  • pom.xml
  • Gemfile.lock
  • yarn.lock
  • Cargo.lock
  • composer.lock
  • conan.lock
  • mix.lock
  • go.mod
  • requirements.txt
  • Pipfile.lock
  • poetry.lock

Add a title for your scan.

Add scan title

Now click on "Preview Snippet":

Preview snippet

Copy the snippet and paste it into your CircleCI pipeline configuration file.

Copy snippet Paste snippet Save snippet

Finally, save the changes.

Save changes

And commit the changes to your repository.

Commit changes

After the pipeline runs, you can check the progress, retrieve the scan ID, and monitor your scan within your organization account on Ostorlab.

Monitor scan progress

For example, this is the report for the current scan.

View scan report

Conclusion

This guide covers the steps required to effectively and easily integrate Ostorlab autonomous security testing for Android and iOS mobile apps into your CircleCI pipeline.