Ostorlab Security And Privacy Scanner

ID: ostorlab

Easily integrate security and privacy testing into your mobile application pipeline builds using the Ostorlab Jenkins Plug-in. Using this plugin you can upload Android and iOS applications and perform static (statically analyze the application without a test device), dyanmic (run and assess the application on real device) and backend (assess backend interaction) scans.

Prerequisites

Usage

Generate an API key

  1. Go to the API keys menu
  2. Click the new button to generate a new key
  3. Copy the api key (You can add a name and an expiry date to your key)
  4. Click the save button to save your key

Api key Step1

Add Ostorlab's API key to Jenkins Credentials

  1. From the main Jenkins dashboard, click the Credentials link.

    Api key Step1

  2. Add new global credentials.

    • In the Kind drop-down list, select Secret text.
    • Enter apiKey in the ID field
    • Enter your API key in the Secret field.
    • Enter a description to identify the key

Add Credentials

Define Jenkins Job

Api key Step1

  1. Add a Secret text binding to your Jenkins project configuration and enter the following information:

    Api key Step1 Api key Step1 Api key Step1

    • Variable: Enter the name apiKey
    • Credentials: Select specific credentials and choose the one defined in step 1

  2. Add a Run Ostorlab Security Scanner build step to your Jenkins project configuration and enter the following information:

    Api key Step1 Api key Step1

    • File Path: Enter the full path to the mobile application file that you want to scan.

  3. Click on Advanced settings to configure your run:

    • Title: Enter the mobile application path
    • Platform: Select whether the platform is Android or iOS
    • Plan: Select the type of the scan, SAST, DAST or SAST+DAST+BACKEND
    • Wait for Results: Suspend job until security analysis completes or times out
    • Max Wait Time (in minutes): Duration to wait before the job times out
    • Break Build on higher Security Risk threshold: If selected, the Jenkins job will fail if the findings risk equals or exceeds the specified thresholds (see below).
    • Security Risk Threshold: Minimum Risk threshold that will cause a build to fail Api key Step1

  4. Kick off build Kick off your mobile builds and you will see the scan risk in the artifacts folder. Api key Step1

Version: 1.3
Released:
Requires Jenkins 2.263.3
Installs: 1
View detailed version information
Links
GitHub
Open issues
Report an issue
Pipeline Step Reference
Javadoc
Labels
This plugin has no labels
Maintainers
AMine Mesbahi
Help us improve this page!
To propose a change submit a pull request to the plugin page on GitHub.