Skip to content


Easily integrate Ostorlab automated security testing for Android and iOS mobile apps into your build process.

Getting Started:

Create CircleCi API key:

  1. Go to the API keys menu
  2. Click the new button to generate a new key
  3. Copy the api key (You can add a name and an expiry date to your key)
  4. Click the save button to save your key (You can add a name and an expiry date to your key), do not forget to click the save button to save your key. api key

Use Ostorlab orb in your workflow:

The next steps is to update your Circleci config.yml to add the Ostorlab orb to trigger the scan. Below is a sample performing a rapid scan on an Android APK and failing the pipeline on vulnerabilities with HIGH severity.

version: '2.1'
  ostorlab-circleci: ostorlab-circleci/ostorlab@0.0.1
      - ostorlab-circleci/ostorlab:
          ostorlab_api_key: The Generated API Key
          asset_type: android-apk
          break_on_risk_rating: HIGH
          max_wait_minutes: 5
          scan_profile: fast_scan
          scan_title: test
          target: files/app.apk
          extra: --test-credentials-login=test_login --test-credentials-password=test_pass --sbom=files/package-lock.json

SBOM/Lock Files

You can supply your SBOM/Lock files to enhance the scan analysis, to do so use the extra input to pass --sbom, for example to add package-lock.json file use the following example:

extra:  --sbom=package-lock.json
Here you can see the list of the supported files:
  • buildscript-gradle.lockfile
  • Cargo.lock
  • composer.lock
  • conan.lock
  • Gemfile.lock
  • go.mod
  • gradle.lockfile
  • mix.lock
  • Pipfile.lock
  • package-lock.json
  • packages.lock.json
  • pnpm-lock.yaml
  • poetry.lock
  • pom.xml
  • pubspec.lock
  • requirements.txt
  • yarn.lock

Test Credentials

Ostorlab supports performing authenticated testing with either simple login password or custom inputs identified with name/label and passing value. To pass test credentials, since the Circleci YAML Action do not support passing complex objects, you can use the extra input to pass --test-credetials-***. For instance to add login/password and a custom credentials with custom names and values, add the following input:

extra: --test-credentials-login test_login --test-credentials-password test_pass --test-credentials-role ci_role --test-credentials-name foo1 --test-credentials-value bar1 --test-credentials-name foo2 --test-credentials-value bar2

Action inputs

The Circleci actions the following options: - scan_profile (['fast_scan', 'full_scan']): [Required] - Specifies the scan profile ( fast_scan for fast static only analysis and full_scan for full static, dynamic and backend coverage). - asset_type (['android-apk', 'android-aab', 'ios-ipa']): [Required] - Target asset, Ostorlab supports APK, AAB and IPA. - target: [Required] - target file to scan. - ostorlab_api_key: [Required] - API Key from Ostorlab portal. - scan_title: [Optional] - A scan title to identify your scan. - break_on_risk_rating (['HIGH', 'MEDIUM', 'LOW','POTENTIALLY]): [Optional] - Wait for the scan results and force the action to fail if the risk rating match or is higher than the provided value. - max_wait_minutes: [Optional] - Max wait time in minutes, pipeline will not fail if the scan times out. - extra: [Optional] - Extra argument flags to pass to the Ostorlab ci-scan CLI. Common use case is passing the scan test credentials.

Action outputs

  • scan_id - The scan is accessible when you visit this link:{scan_id}.