Easily integrate security and privacy testing into your mobile application pipeline builds using the Ostorlab Jenkins Plug-in. Using this plugin you can upload Android and iOS applications and perform static (statically analyze the application without a test device), dyanmic (run and assess the application on real device) and backend (assess backend interaction) scans.
Prerequisites
- An account at the Ostorlab Mobile application Scanner
- Either use the free plan or add the desired scan plans to your account
Usage
Generate an API key
- Go to the API keys menu
- Click the new button to generate a new key
- Copy the api key (You can add a name and an expiry date to your key)
- Click the save button to save your key
Add Ostorlab's API key to Jenkins Credentials
-
From the main Jenkins dashboard, click the Credentials link.
-
Add new global credentials.
- In the Kind drop-down list, select Secret text.
- Enter apiKey in the ID field
- Enter your API key in the Secret field.
- Enter a description to identify the key
Define Jenkins Job
-
Add a Secret text binding to your Jenkins project configuration and enter the following information:
- Variable: Enter the name apiKey
- Credentials: Select specific credentials and choose the one defined in step 1
-
Add a Run Ostorlab Security Scanner build step to your Jenkins project configuration and enter the following information:
- File Path: Enter the full path to the mobile application file that you want to scan.
-
Click on Advanced settings to configure your run:
- Title: Enter the mobile application path
- Platform: Select whether the platform is Android or iOS
- Plan: Select the type of the scan, SAST, DAST or SAST+DAST+BACKEND
- Wait for Results: Suspend job until security analysis completes or times out
- Max Wait Time (in minutes): Duration to wait before the job times out
- Break Build on higher Security Risk threshold: If selected, the Jenkins job will fail if the findings risk equals or exceeds the specified thresholds (see below).
- Security Risk Threshold: Minimum Risk threshold that will cause a build to fail
-
Kick off build Kick off your mobile builds and you will see the scan risk in the artifacts folder.
Define Jenkins Pipeline
Sample step to run the scan
pipeline {
agent any
environment {
apiKey = credentials('apiKey')
jsonCredentials = "${params.Credentials}"
}
parameters { string(name: 'Credentials', defaultValue: '[{"name": "username", "value": "MyUsername"}, {"name": "password", "value": "MyPassword"}]', description: '') }
stages {
stage('security-test') {
steps {
step([$class: 'OPlugin', apiKey:env.apiKey, Jsoncredentials:env.jsonCredentials, filePath: '/home/asasas/IdeaProjects/ostorlab-plugin/work/workspace/as/InsecureBankv2.apk', scanProfile: 'Fast Scan', platform: 'android'])
}
}
}
}
The list of parameters supported:
- filePath: (Mandatory) Enter the mobile application path
- apiKey: (Mandatory) Enter the API key to authenticate the API requests.
- scanProfile: Select the scan profile to run. You can choose between
Fast Scanfor rapid static analysis orFull Scanfor full Static, Dynamic and Backend analysis. - platform: Set the platform type [android, ios]
- waitForResults: (Optional) Suspend job until security analysis completes or times out
- waitMinutes: (Optional) Duration to wait before the job times out
- breakBuildOnScore: (Optional) If set to true, the step will fail if the findings risk equals or exceeds the thresholds.
- riskThreshold: (Optional) Minimum Risk threshold that will cause a build to fail
- JsonCredentials: (Optional) Credentials to use for the dynamic testing. It should be a string as valid JSON.
[{"name": "username", "value": "MyUsername"}, {"name": "password", "value": "MyPassword"}] - title: (Optional) Enter the scan title