Skip to content


To use Ostorlab Github Action, the first step is to generate an API key. To do so, simply follow the following steps:

  1. Go to the API keys menu
  2. Click the new button to generate a new key
  3. Copy the api key (You can add a name and an expiry date to your key)
  4. Click the save button to save your key (You can add a name and an expiry date to your key), do not forget to click the save button to save your key.

api key

Once you have generated your API, add it to GitHub Secrets. Make sure the name matches the secrets. in the YAML file. You follow these steps for more detailed instructions Github:Creating encrypted secrets for a repository

The next steps is to a update your workflow to add an Ostorlab step to trigger the scan. Below is a sample performing a rapid scan on an Android APK and failing the pipeline on vulnerabilities with HIGH severity.

on: [push]
    runs-on: ubuntu-latest
    name: Test ostorlab ci actions.
      - uses: actions/checkout@v2
      - name: build ostorlab.apk
        run: mv InsecureBankv2.apk ostorlab.apk
      - name: Launch Ostorlab scan
        id: start_scan
        uses: Ostorlab/ostorlab_actions@v1.1.0
          scan_profile: fast_scan # Specify which scan profile to use for the scan (check scan section).
          asset_type: android-apk # type of asset to scan.
          target: ostorlab.apk # path for target tto scan.
          scan_title: title_scan_ci # type a title for your scan.
          ostorlab_api_key: ${{ secrets.ostorlab_api_key }} # your secret api key.
          break_on_risk_rating: HIGH # Wait for the scan results and force the action to fail if the scan risk is higher
          max_wait_minutes: 30
      - name: Get scan id
        run: echo "Scan Created with id ${{ steps.start_scan.outputs.scan_id }} you can access the full report at${{ steps.start_scan.outputs.scan_id }}/"

SBOM/Lock Files

You can supply your SBOM/Lock files to enhance the scan analysis, to do so use the extra input to pass --sbom***, for example to add package-lock.json file use the following example:

extra:  --sbom package-lock.json
Here you can see the list of the supported files:
  • buildscript-gradle.lockfile
  • Cargo.lock
  • composer.lock
  • conan.lock
  • Gemfile.lock
  • go.mod
  • gradle.lockfile
  • mix.lock
  • Pipfile.lock
  • package-lock.json
  • packages.lock.json
  • pnpm-lock.yaml
  • poetry.lock
  • pom.xml
  • pubspec.lock
  • requirements.txt
  • yarn.lock

Test Credentials

Ostorlab supports performing authenticated testing with either simple login password or custom inputs identified with name/label and passing value.

To pass test credentials, since the Github YAML Action do not support passing complex objects, you can use the extra input to pass --test-credetials-***. For instance to add login/password and a custom credentials with custom names and values, add the following input:

extra: --test-credentials-login test_login --test-credentials-password test_pass --test-credentials-role ci_role --test-credentials-name foo1 --test-credentials-value bar1 --test-credentials-name foo2 --test-credentials-value bar2

Action inputs

The Github actions the following options:

  • scan_profile (['fast_scan', 'full_scan']): [Required] - Specifies the scan profile ( fast_scan for fast static only analysis and full_scan for full static, dynamic and backend coverage).
  • asset_type (['android-apk', 'android-aab', 'ios-ipa']): [Required] - Target asset, Ostorlab supports APK, AAB and IPA.
  • target: [Required] - target file to scan.
  • ostorlab_api_key: [Required] - API Key from Ostorlab portal.
  • scan_title: [Optional] - A scan title to identify your scan.
  • break_on_risk_rating (['HIGH', 'MEDIUM', 'LOW','POTENTIALLY]): [Optional] - Wait for the scan results and force the action to fail if the risk rating match or is higher than the provided value.
  • max_wait_minutes: [Optional] - Max wait time in minutes, pipeline will not fail if the scan times out.
  • extra: [Optional] - Extra argument flags to pass to the Ostorlab ci-scan CLI. Common use case is passing the scan test credentials.

Action outputs

  • scan_id - The scan id is accessible using the following syntax ${{ steps.STEP_ID.outputs.scan_id }}.