Skip to content


Easily integrate Ostorlab automated security scanning for Android and iOS mobile applications into your GoCd build process.


Generate an Ostorlab API key

  1. Go to the API keys menu
  2. Click the new button to generate a new key
  3. Copy the API key (You can add a name and an expiry date to your key)
  4. Click the save button to save your key

Api key Step1

Add Ostorlab as a Command Line Stage on GoCd

  1. Head to your GoCd Dashboard and select your pipeline.

    Gocd dashboard

  2. Click Edit on your pipeline.

    Gocd pipeline

  3. Select Stages.

    Gocd stage

  4. Add new stage and fill the form.

    • For the initial Job type Select Custom Command.
    • And give it the following arguments:
    • Command: bash
    • Arguments: |
      pip install ostorlab
    • click save.

    Gocd new stage

  5. Navigate to JOBS tab and select your newly added job.

    Gocd jobs

  6. Add one more task to run the job.

    • Click add Task of type Custom Command.
    • And give it the following arguments:
    • Command: bash
    • Arguments: |
      ostorlab --api-key=$OSTORLAB_API_KEY ci-scan run --title=$Scan_Title --scan-profile=$SCAN_PROFILE android-apk /path/to/app.apk
      Check Additional options below for the full list of options.

    Gocd add command

  7. Add environment variables

    • Navigate to the ENVIRONMENT VARIABLES tab.
    • Add the OSTORLAB_API_KEY as a Secure Variable.
    • Add the other variables (Scan_Title, SCAN_PROFILE, ...) as Plain Text Variables.

    Gocd add environment vars

Additional options

The following is the full list of options for the ostorlab ci-scan run command:

    ostorlab --api-key ci-scan run --option <asset-type> <target>
  • --api-key: Ostorlab generated API key.

  • --title: Scan title

  • --scan-profile: Type of the scan. Possible options are:

    1. fast_scan: Only runs the static analysis;
    2. full_scan: Runs static, dynamic, and backend analysis.
  • Test credentials: Automatic authentication in the dynamic analysis full scan:

    • --test-credentials-login: Username to be used in log-in fields;
    • --test-credentials-password: Password to be used in password fields;
    • --test-credentials-role: Optional role field;
    • Custom/Generic test credentials:
      • --test-credentials-name: Custom name of the field;
      • --test-credentials-value: Custom value of the field
  • --sbom: Path to the sbom file.

  • asset-type: Type of the asset to scan. Possible values:

    • android-aab: Scan an android .AAB package file;
    • android-apk: Scan an android .APK package file;
    • ios-ipa: Scan an iOS .IPA package file;
  • target: Path to the target application.