Skip to content


Easily integrate Ostorlab automated security scanning for Android and iOS mobile applications into your build process with TeamCity.


Generate an Ostorlab API key

  1. Go to the API keys menu
  2. Click the new button to generate a new key
  3. Copy the API key (You can add a name and an expiry date to your key)
  4. Click the save button to save your key

Api key Step1

Add Ostorlab as a Command Line Step on TeamCity

  1. Head to your TeamCity project settings and add a new build step.

    Add a new build step

  2. Choose Command Line Runner. Command line step

  3. Fill in the step configuration

    • Step name: Choose a name to distinguish the build step from other steps;
    • Choose Custom script as the Run type;
    • Add the following command as a Custom script;
      ostorlab --api-key=%env.OSTORLAB_API_KEY% ci-scan run --title=%Scan_Title% --scan-profile=%env.SCAN_PROFILE% android-apk /tmp/OstorlabInsecureApp.apk
      Check Additional options below for the full list of options.
    • The step should run within the ostorlab container:
      • Add ostorlab/oxo:latest in the Run step within container field;
      • Choose Linux as the Image platform;
      • Click on Edit arguments in the Additional run arguments step;
      • Mount the application to the ostorlab container, -v source_path:destination_path
        -v /opt/buildagent/work/OstorlabInsecureApp.apk:/tmp/OstorlabInsecureApp.apk
        Make sure the destination_path is the same as the ostorlab ci-scan run command defined previously.

    Step configuration

  4. Add the step parameters: Eg: the previous command uses the parameter: --title=%Scan_Title%, which you can define by:

    • Click on Parameters;
    • Click on Add new parameter;
    • Fill the Name, the Kind as Configuration parameter, the value and its type;
    • Click on Save.

    Add parameters

  5. Add environment variables You can also add environment variables to be used by the ostorlab command, by following the same as step 4, but choose Environment variable (env.) as the Kind

    Add env variables

All Parameters: All Parameters

Additional options

The following is the full list of options for the ostorlab ci-scan run command:

    ostorlab --api-key ci-scan run --option <asset-type> <target>
  • --api-key: Ostorlab generated API key.

  • --title: Scan title

  • --scan-profile: Type of the scan. Possible options are:

    1. fast: Only runs the static analysis;
    2. full: Runs static, dynamic, and backend analysis.
  • Test credentials: Automatic authentication in the dynamic analysis full scan:

    • --test-credentials-login: Username to be used in log-in fields;
    • --test-credentials-password: Password to be used in password fields;
    • --test-credentials-role: Optional role field;
    • Custom/Generic test credentials:
      • --test-credentials-name: Custom name of the field;
      • --test-credentials-value: Custom value of the field
  • --sbom: Path to the sbom file. The sbom file should also be mounted as specified in step 3.

  • asset-type: Type of the asset to scan. Possible values:

    • android-aab: Scan an android .AAB package file;
    • android-apk: Scan an android .APK package file;
    • ios-ipa: Scan an iOS .IPA package file;
  • target: Path to the target application. The Application should be mounted as specified in step 3.