Skip to content

GitHub

To use Ostorlab GitHub Action, the first step is to generate an API key. To do so, simply follow the following steps:

  1. Go to the API keys menu
  2. Click the new button to generate a new key
  3. Copy the api key (You can add a name and an expiry date to your key)
  4. Click the save button to save your key (You can add a name and an expiry date to your key), do not forget to click the save button to save your key.

api key

Once you have generated your API, add it to GitHub Secrets. Make sure the name matches the secrets. in the YAML file. You follow these steps for more detailed instructions Github:Creating encrypted secrets for a repository

The next steps is to a update your workflow to add an Ostorlab step to trigger the scan. Below is a sample performing a rapid scan on an Android APK and failing the pipeline on vulnerabilities with HIGH severity.

on: [push]
jobs:
   ostorlab_test:
    runs-on: ubuntu-latest
    name: Test ostorlab ci actions.
    steps:
     - uses: actions/checkout@v2
     - name: Lunch Ostorlab scan
       id: start_scan
       uses: actions/ostorlab_actions@v1
      with:
       plan: rapid_static
       asset_type: android-apk
       target: andoird_apk.apk
       can_title: title_scan_ci
       ostorlab_api_key: ${{secrets.ostorlab_api_key}}  # your secret api key.
       break_on_risk_rating: HIGH
       max_wait_minutes: 20

Action inputs

The GitHub actions the following options:

  • plan (['rapid_static', 'static_dynamic_backend']): [Required] - Specifies the scan plan ( rapid_static for fast static only analysis and fullanalysis for full static, dynamic and backend coverage).
  • asset_type (['android-apk', 'android-aab', 'ios-ipa']): [Required] - Target asset, Ostorlab supports APK, AAB and IPA.
  • target: [Required] - target file to scan.
  • ostorlab_api_key: [Required] - API Key from Ostorlab portal.
  • scan_title: [Optional] - A scan title to identify your scan.
  • break_on_risk_rating (['HIGH', 'MEDIUM', 'LOW','POTENTIALLY]): [Optional] - Wait for the scan results and force the action to fail if the risk rating match or is higher than the provided value.
  • max_wait_minutes: [Optional] - Max wait time in minutes, pipeline will not fail if the scan times out.