Easily integrate security and privacy testing into your mobile application pipeline builds using the Ostorlab Jenkins Plug-in.
Using this plugin you can upload Android and iOS applications and perform static (statically analyze the application without a test device), dyanmic (run and assess the application on real device) and backend (assess backend interaction) scans.
Generate an API key
- Go to the API keys menu
- Click the new button to generate a new key
- Copy the api key (You can add a name and an expiry date to your key)
- Click the save button to save your key
Add Ostorlab's API key to Jenkins Credentials
From the main Jenkins dashboard, click the Credentials link.
Add new global credentials.
- In the Kind drop-down list, select Secret text.
- Enter apiKey in the ID field
- Enter your API key in the Secret field.
- Enter a description to identify the key
Define Jenkins Job
Add a Secret text binding to your Jenkins project configuration and enter the following information:
- Variable: Enter the name apiKey - Credentials: Select specific credentials and choose the one defined in step 1
Add a Run Ostorlab Security Scanner build step to your Jenkins project configuration and enter the following information:
- File Path: Enter the full path to the mobile application file that you want to scan.
Click on Advanced settings to configure your run:
- Title: Enter the mobile application path
- Platform: Select whether the platform is Android or iOS
- Profile: Select the scan profile to run. You can choose between
Fast Scanfor rapid static analysis or
Full Scanfor full Static, Dynamic and Backend analysis.
- Wait for Results: Suspend job until security analysis completes or times out
- Max Wait Time (in minutes): Duration to wait before the job times out
- Break Build on higher Security Risk threshold: If selected, the Jenkins job will fail if the findings risk equals or exceeds the specified thresholds (see below).
- Security Risk Threshold: Minimum Risk threshold that will cause a build to fail
- Credentials: Add Scan credentials to be used during the dynamic testing. -- The name corresponds to the id or the label of the field in the view (For example username or password). -- The value corresponds to the input to type if the field.
Kick off build Kick off your mobile builds and you will see the scan risk in the artifacts folder.