GitLab
Easily Integrate Ostorlab autonomous security testing for Android and iOS mobile apps to your build process.
Summary
Powered by static taint analysis, 3rd party dependencies fingerprinting and vulnerability analysis, dynamic instrumentation and novel backend scanning capabilities, Ostorlab leads the way providing the most advanced vulnerability detection capabilities.
To get more information visit us at https://www.ostorlab.co
Getting Started
Access token
- Go to the API keys menu
- Click the new button to generate a new key
- Copy the api key (You can add a name and an expiry date to your key)
- Click the save button to save your key
Required Environment variables
OSTORLAB_API_KEY=API_KEY
- Specifies your api keyOSTORLAB_FILE_PATH=FILE_PATH
- Specifies the path to Android apk or IOS ipaOSTORLAB_PLATFORM=PLATFORM
- Specifies the platform android or ios
Optional Environment variables
Following are optional parameters that can be set from environment variables:
OSTORLAB_PLAN=free or static_dynamic_backend
- Specifies your scan plan (free for community scans and static_dynamic_backend for full analysis).OSTORLAB_TITLE=My Title
- Specifies the scan title.OSTORLAB_WAIT_FOR_RESULTS=true
- Set to true if you want to wait for the scan to finish and retrieve the result.OSTORLAB_WAIT_MINUTES=30
- Specifies the number of minutes to wait DEFAULT=30min.OSTORLAB_BREAK_BUILD_ON_SCORE=true
- Set to true to generate an exception if the scan risk rating is higher than the threshold.OSTORLAB_RISK_THRESHOLD=medium
- Specifies your risk rating threshold.
Creating a Gitlab-CI Pipeline:
Example to use for your .gitlab-ci.yml
stages:
- build
- test
build:
stage: build
script:
- Pre steps to build
- ./gradlew assembleDebug
artifacts:
paths:
- app/build/outputs/
runScanOstorlab:
stage: test
image: ostorlab/gitlab-ci
variables:
OSTORLAB_FILE_PATH: app/build/outputs/apk/debug/app-debug.apk
OSTORLAB_PLATFORM: android
script:
- run_ostorlab.sh
Adding Environment variables in Gitlab Pipeline
1- Select Settings option from your Gitlab project.
2- Select CI/CD
.
3- Select Variables
section to add environment variables for your pipeline, e.g.
Adding Environment variables in Gitlab Pipeline
Select Settings option from your Gitlab project and then jump to Variables
section to add environment variables for your pipeline, e.g.
Verifying the Build
Once the job is done, if you choose to wait for the scan result and break if the risk rating is higher than the threshold, than the job might fail if its risk rating is equal or higher than the threshod. Otherwise, the job will succeed with a line indicating the scan risk rating