Why integrate with Bitrise?
AppSweep allows developers to analyze their mobile app for potential security issues. This process can be automated by triggering the analysis from within your Continuous Integration (CI) pipeline with Bitrise. For this, we have built a Bitrise step that will automatically fetch your built Android or iOS application and then upload it to AppSweep. Doing so enables you to continuously scan your application for security issues, without any manual steps. AppSweep also provides an intuitive UI to drill down into the scan details to quickly navigate to the relevant findings for specific builds.
Pre-requirements for the Bitrise Integration
Before diving into the integration with Bitrise, you should create an API key for your application. This can be easily done inside your application´s settings page in AppSweep. Once you have created such a key, save it for use in a later step of this tutorial.
After the API key is created, you can integrate AppSweep into your build step. The process depends on the platform you're building for.
Automating the scanning process within your Bitrise workflow
Automating the scan in your Bitrise workflow is fairly simple and straightforward. You start by adding the API Key you created for your application into Bitrise as a secret. To do this, you should go to your workflow, press edit, and then you should see on top a Secrets tab. Inside this tab, you add the previously generated key with a name of your own choice.
After the secrets are set up, you need to add our Bitrise step into your workflow. For this, you must go back to the Workflows tab and scroll to where you wish to scan your app (as long as it is built since AppSweep takes a built app) and press the + button. A window will pop up where you can search for appsweep to find our Bitrise step:
By clicking on it, the AppSweep scan step will be added to your pipeline and you’ll see the configurations for the step.
iOS
For typical iOS builds on bitrise, no further configuration is required. You can override the following two options if needed.
Build path - This is the path to your finished build, either an IPA file or an xcarchive directory. An iOS build is only uploaded to AppSweep if this is set.
dSYM directory path - For an in-depth analysis, AppSweep needs debug symbols which are loaded from the dSYM directory.
Android
For Android, a few things need to be configured before the step can succeed:
AppSweep gradle plugin version - The version of injected AppSweep gradle plugin. Should be set to latest.version or to the version you wish. If the plugin is already configured in your repository (see our Gradle integration documentation) then this option has no impact.
[optional] the build variant to analyze. By default, the release build is used.
After configuring the AppSweep step, you can rebuild the pipeline and your application will be automatically uploaded for scanning. The logs will contain the link for the AppSweep build. However, it is also possible to print this information to other platforms like Slack or send an email to the developers.
View the results
After configuring the pipeline steps, your pipeline automatically uploads your mobile app to AppSweep.
In the AppSweep UI you will see all scans, chronologically ordered. Clicking on the most recent build allows you to explore the detailed results of your last pipeline execution.
Developers in your team will no longer have to worry about manually uploading their app into AppSweep. Instead, everytime the pipeline is triggered (i.e. a pull request) it will automatically upload your app to AppSweep for scanning. This way they can immediately see which issues and vulnerabilities their app contains and easily fix them by applying the provided recommendations.