CircleCI
Easily integrate Ostorlab automated security testing for Android and iOS mobile apps into your build process.
Getting Started:
Create CircleCi API key:
- Go to the API keys menu
- Click the new button to generate a new key
- Copy the api key (You can add a name and an expiry date to your key)
- Click the save button to save your key
(You can add a name and an expiry date to your key), do not forget to click the save button to save your key.
Use Ostorlab orb in your workflow:
The next steps is to update your Circleci config.yml to add the Ostorlab orb to trigger the scan. Below is a sample performing
a rapid scan on an Android APK and failing the pipeline on vulnerabilities with HIGH
severity.
version: '2.1'
orbs:
ostorlab-circleci: ostorlab-circleci/ostorlab@0.0.1
workflows:
use-my-orb:
jobs:
- ostorlab-circleci/ostorlab:
ostorlab_api_key: The Generated API Key
asset_type: android-apk
break_on_risk_rating: HIGH
max_wait_minutes: 5
scan_profile: fast_scan
scan_title: test
target: files/app.apk
extra: --test-credentials-login=test_login --test-credentials-password=test_pass --sbom=files/package-lock.json
SBOM/Lock Files
You can supply your SBOM/Lock files to enhance the scan analysis, to do so use the extra
input to pass --sbom
, for example to add package-lock.json file use the following example:
extra: --sbom=package-lock.json
- buildscript-gradle.lockfile
- Cargo.lock
- composer.lock
- conan.lock
- Gemfile.lock
- go.mod
- gradle.lockfile
- mix.lock
- Pipfile.lock
- package-lock.json
- packages.lock.json
- pnpm-lock.yaml
- poetry.lock
- pom.xml
- pubspec.lock
- requirements.txt
- yarn.lock
Test Credentials
Ostorlab supports performing authenticated testing with either simple login password or custom inputs identified with
name/label and passing value.
To pass test credentials, since the Circleci YAML Action do not support passing complex objects, you can use the extra
input to pass --test-credetials-***
. For instance to add login/password and a custom credentials with custom names
and values, add the following input:
extra: --test-credentials-login test_login --test-credentials-password test_pass --test-credentials-role ci_role --test-credentials-name foo1 --test-credentials-value bar1 --test-credentials-name foo2 --test-credentials-value bar2
Action inputs
The Circleci actions the following options:
- scan_profile
(['fast_scan', 'full_scan']): [Required] - Specifies the scan profile ( fast_scan
for fast
static only analysis and full_scan
for full static, dynamic and backend coverage).
- asset_type
(['android-apk', 'android-aab', 'ios-ipa']): [Required] - Target asset, Ostorlab supports APK, AAB
and IPA.
- target
: [Required] - target file to scan.
- ostorlab_api_key
: [Required] - API Key from Ostorlab portal.
- scan_title
: [Optional] - A scan title to identify your scan.
- break_on_risk_rating
(['HIGH', 'MEDIUM', 'LOW','POTENTIALLY]): [Optional] - Wait for the scan results and
force the action to fail if the risk rating match or is higher than the provided value.
- max_wait_minutes
: [Optional] - Max wait time in minutes, pipeline will not fail if the scan times out.
- extra
: [Optional] - Extra argument flags to pass to the Ostorlab ci-scan CLI. Common use case is passing the scan
test credentials.
Action outputs
scan_id
- The scan is accessible when you visit this link: https://report.ostorlab.co/scan/{scan_id}.