Building upon AppSweep’s recent support for iOS apps, we have now released a command line interface (CLI) to streamline user interaction, making common tasks like uploading apps and checking overall finding numbers faster and easier.
Scan Manually Using the Guardsquare CLI
Installing the CLI is as simple as running this single shell command:
curl -sS https://platform.guardsquare.com/cli/install.sh | sh |
Once the installation script is done, you are almost ready to start scanning your mobile apps! The only thing you need to do first, is retrieve an API key, which is needed for authentication and for AppSweep to know which applications in your team your mobile app should be uploaded to.
API keys can be generated in your applications´ settings page:
This API key needs to be stored in an environment variable:
export APPSWEEP_API_KEY="gs_appsweep_dummy_notarealkey" |
Once this is done, you can trigger an AppSweep scan for any IPA or xcarchive by running
guardsquare scan my_app.ipa |
To find out how to integrate the CLI into your CI pipeline, check out our CLI help article.
Xcode Integration
Using the Guardsquare CLI manually is an easy way for ad-hoc scans. It would, of course, be nicer if you could automate this process, because scanning your app should not feel like a manual chore but rather automatically enhance your development process. A typical place for integrating different analysis tools into the development workflow is the Continuous Integration (CI) pipeline.
However, we’re focusing on a different use case: In many companies, CI pipeline resources are shared between several teams and, depending on the time of day, it can take a considerable amount of time until the pipeline run for your change set has finished. To speed up the feedback cycle between making changes to the app and finding out whether that introduced new vulnerabilities, it is helpful to have a way of triggering scans directly from within XCode. One example of this is triggering an AppSweep scan every time an xcarchive is built. Here’s how to set this up:
1. Open the scheme editor
2. Select the “Post-actions” of the “Archive” step and click on “New Run Script Action”
3. Make sure to provide the build settings from your app’s target, otherwise the script won’t be able to find out where the final xcarchive has been stored on disk
4. Paste the following shell script into the corresponding text box, replace the dummy API key with your actual key and close the scheme editor afterwards. The script provided in this post performs the upload to AppSweep and launches a pop-up dialog that takes you directly to the scan’s AppSweep build page if you wish.
You can, of course, customize it to your heart’s content, to make it fit exactly your use case!
cd "$SRCROOT"
BUILD_URL=$(APPSWEEP_API_KEY="gs_appsweep_dummy_notarealkey" guardsquare scan "$ARCHIVE_PATH" --format "{{.URL}}")
if [ $? -ne 0 ] || [ -z "$BUILD_URL" ]; then osascript -e 'display dialog "Failed to start AppSweep scan" with title "Upload to AppSweep" with icon caution' exit 1 fi
osascript -e 'set theAlertText to "Upload to AppSweep"' \ -e "set theAlertMessage to \"Successfully uploaded to $BUILD_URL\"" \ -e 'display dialog theAlertMessage with title "Upload to AppSweep" buttons {"Cancel", "View online"} default button "View online" cancel button "Cancel"' \ -e "if the button returned of the result is \"View online\" then open location \"$BUILD_URL\"" |
To test your newly set up automation, build an xcarchive version of your app and wait for the confirmation dialog to pop up:
Next Steps
This article explained how you can initiate a scan of your app locally. As a next step, you can also start streamlining your MAST experience by integrating the Guardsquare CLI into your development workflow!
Our help article about CI integration explains how to set this up via fastlane or Xcode Cloud.