Skip to content

Ostorlab Integration with GitLab

In this guide, we will explore how to easily Integrate Ostorlab autonomous security testing for Android and iOS mobile apps to your gitlab build process.

Generate new API key

The first step is to generate an API key. To do so, simply follow the following steps:

Go to

Click the Menu button

Click Library to expand

Click API Keys

Click New to generate a new API key

Copy the API key. You can also add a name and an expiry date to your key.

Don't forget to click the save button to save your key.

Creating a Gitlab-CI Pipeline:

Example to use for your .gitlab-ci.yml

  - build
  - test

  stage: build
      - Pre steps to build
      - ./gradlew assembleDebug
    - app/build/outputs/

  stage: test
  image: ostorlab/gitlab-ci
    OSTORLAB_FILE_PATH: app/build/outputs/apk/debug/app-debug.apk

Required Environment variables

  • OSTORLAB_API_KEY=API_KEY - Specifies your api key
  • OSTORLAB_FILE_PATH=FILE_PATH - Specifies the path to Android apk or IOS ipa
  • OSTORLAB_PLATFORM=PLATFORM - Specifies the platform android or ios

Optional Environment variables

Following are optional parameters that can be set from environment variables:

  • OSTORLAB_PLAN=free or static_dynamic_backend - Specifies your scan plan (free for community scans and static_dynamic_backend for full analysis).
  • OSTORLAB_TITLE=My Title - Specifies the scan title.
  • OSTORLAB_WAIT_FOR_RESULTS=true - Set to true if you want to wait for the scan to finish and retrieve the result.
  • OSTORLAB_WAIT_MINUTES=30 - Specifies the number of minutes to wait DEFAULT=30min.
  • OSTORLAB_BREAK_BUILD_ON_SCORE=true - Set to true to generate an exception if the scan risk rating is higher than the threshold.
  • OSTORLAB_RISK_THRESHOLD=medium - Specifies your risk rating threshold.

Adding Environment variables in Gitlab Pipeline

To add environment variables in you Gitlab Pipeline, navigate to settings then CI/CD, and then jump to Variables section to add environment variables for your pipeline as following:

After that, you can see that the variable is added to the list of variables.

Once the job is done, if you choose to wait for the scan result and break if the risk rating is higher than the threshold, than the job might fail if its risk rating is equal or higher than the threshold. Otherwise, the job will succeed with a line indicating the scan risk rating.

This guide covered the steps required to effectively & easily Integrate Ostorlab autonomous security testing for Android and iOS mobile apps to your gitlab build process.