Easily integrate security and privacy testing into your mobile application pipeline builds using the Ostorlab Jenkins Plug-in. Using this plugin you can upload Android and iOS applications and perform static (statically analyze the application without a test device), dyanmic (run and assess the application on real device) and backend (assess backend interaction) scans.
From the main Jenkins dashboard, click the Credentials link.
Add new global credentials.
Add a Secret text binding to your Jenkins project configuration and enter the following information:
Add a Run Ostorlab Security Scanner build step to your Jenkins project configuration and enter the following information:
Click on Advanced settings to configure your run:
Kick off build Kick off your mobile builds and you will see the scan risk in the artifacts folder.
Sample step to run the scan
pipeline {
agent any
environment {
apiKey = credentials('apiKey')
jsonCredentials = "${params.Credentials}"
}
parameters { string(name: 'Credentials', defaultValue: '[{"name": "username", "value": "MyUsername"}, {"name": "password", "value": "MyPassword"}]', description: '') }
stages {
stage('security-test') {
steps {
step([$class: 'OPlugin', apiKey:env.apiKey, Jsoncredentials:env.jsonCredentials, filePath: '/home/asasas/IdeaProjects/ostorlab-plugin/work/workspace/as/InsecureBankv2.apk', scanProfile: 'Fast Scan', platform: 'android'])
}
}
}
}
The list of parameters supported:
Fast Scan
for rapid static analysis or Full Scan
for full Static, Dynamic and Backend analysis.[{"name": "username", "value": "MyUsername"}, {"name": "password", "value": "MyPassword"}]