Skip to content

Ostorlab Integration with CircleCI

Overview

This guide explains how to seamlessly integrate security and privacy testing into your mobile application pipeline builds using CircleCI.

Video Demonstration

Watch this brief video for a visual walkthrough of the integration process.

Generate an API Key

The first step is to generate a new API key. In your organization dashboard, click the menu button.

Click here

Next, click "Library" to expand.

Click 'Library'

Then, choose "API Keys".

Click 'API Keys'

From here, click "New".

Click 'New'

Copy the API key. You can also add a name and an expiry date to your key.

Fill 'Github_action_key'

Don't forget to click the save button to save your key.

Fill 'Github_action_key'

Update Your CircleCI Pipeline

Now, update your CircleCI pipeline to include an Ostorlab step for triggering the security scan.

Edit config

Search for the Ostorlab orb:

Orbs Orbs Orbs

Define the asset type as either Android or iOS. In this example, we are choosing Android to scan an Android app.

Asset type

Enter the generated API key.

API key

Add the scan profile. Choose between Fast Scan for rapid static analysis or Full Scan for comprehensive analysis, including static, dynamic, and backend scans.

Scan profile

Provide the path to the APK or IPA file.

APK path

By default, the action will not fail based on the risk rating. It will just create a scan in the Ostorlab platform. If you set this value to HIGH, the action will fail if the scan risk rating is equal to or higher than this value.

Risk rating

By default, the action will wait for 2 hours for the scan results before failing with a timeout error. You can change this value to any number of minutes.

Timeout

The extra parameter enables you to provide your Lock files for enhanced scan analysis. Additionally, it allows you to supply either simple credentials or custom credentials to enable authenticated testing.

Extra params

Supported SBOM/Lock Files

  • SPDX
  • CycloneDX
  • gradle.lockfile
  • pubspec.lock
  • buildscript-gradle.lockfile
  • pnpm-lock.yaml
  • package-lock.json
  • packages.lock.json
  • pom.xml
  • Gemfile.lock
  • yarn.lock
  • Cargo.lock
  • composer.lock
  • conan.lock
  • mix.lock
  • go.mod
  • requirements.txt
  • Pipfile.lock
  • poetry.lock

Add a title for your scan.

Scan title

Now click on "Preview Snippet":

Preview Snippet

Copy the snippet and paste it into your CircleCI pipeline configuration file.

Copy Snippet Copy Snippet Paste Snippet

Finally, save the changes.

Save changes

And commit the changes to your repository.

Commit changes

After the pipeline runs, you can check the progress, retrieve the scan ID, and monitor your scan within your organization account on Ostorlab.

Monitor scan

For example, this is the report for the current scan.

Scan report

Conclusion

This guide covers the steps required to effectively and easily integrate Ostorlab autonomous security testing for Android and iOS mobile apps into your CircleCI pipeline.