This is a plugin to scan Android and iOS applications in your jenkins pipelines using CloudSek BeVigil. BeVigil can analyze code at scale and easily search for API keys, regexes, etc to see the matches in different files of an application.
The BeVigil-CI plugin is intended to be used as an additional step in build pipelines that already build android or ios apps. In this section, we will asume that you already have a pipeline running to build your application.
Installing the plugin
To use this plugin, you need to install it in your Jenkins installation. To do this, first login to your jenkins server, and click on "Manage Plugins" on the Manage Jenkins page:
Next, navigate to the available tab, and search for the "BeVigil VI" plugin. Click the checkbox next the plugin, and then click on "Install without Restart" to install the plugin.
Using the plugin in your jenkins build
- Add a build step which uses the plugin on your Jenkins CI Build Pipeline:
- Now, configure the following information about your app on the build step:
- API KEY: Your BeVigil Enterprise API Key
- App Type: Select Android/ioS
- App Path: This is the path to your built app relative to the root of your jenkins workspace.
- Package Name: Enter the package name for your application
- Scan Timeout: This the time (in minutes) after which the scan will timeout on the plugin.
- Severity Threshold: This tells BeVigil to set a threshold for the vulnerabilities:
- Low: This includes low, medium and high vulnerabilities
- Medium: This includes medium and high vulnerabilities
- High: This includes only high vulnerabilities
- Save your build step, and start a new build. If all goes well, the plugin should print the report to stdout.
How the plugin works
Mobile applications are often full of security issues which when not identified can cost organizations a lot. This plugin helps to identify potential security vulnerabilities in the code. By running a scan during the build process, developers can catch and fix vulnerabilities early on, which can help to prevent security breaches and protect the integrity of the application. The plugin can be easily configured making it a valuable tool for any organization that values security.
The plugin recieves an AWS presigned URL where it uploaded the build file of the app after reading it. After uploading the file successfully, the file is scanned using BeVigil's API for vulnerabilites. Finally, we get the output for the scan.
Report issues and enhancements in the Issue tracker.
Refer to our contribution guidelines
Licensed under MIT, see LICENSE