This guide explains how to integrate AppSweep with Github to automatically trigger the scans for potential security issues from within your Continuous Integration pipeline.
GitHub action workflow configuration
The following action will trigger the AppSweep scan on each commit.
.github/workflows/github-action-appsweep.yml
name: AppSweep mobile application security testing
on: [push]
jobs:
appsweep-scan:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout@v2
- name: Build debug app
run: ./gradlew assembleDebug
- name: Upload debug app to AS
uses: guardsquare/appsweep-action@main
with:
appsweep_api_key: ${{ secrets.APPSWEEP_API_KEY }}
input_file: ./app/build/outputs/apk/debug/app-debug.apk
mapping_file: ./app/build/outputs/mapping/debug/mapping.txt
To not store the API key directly in your code, you should set a GitHub secret APPSWEEP_API_KEY which you need to set as a parameter to the action.
Note: The presented GitHub action uses the push event, wich is triggered on each commot. Alternatively, you can use other actions such as the pull_request_target event which will be triggered by new pull requests.
Install the AppSweep App on your GitHub account
Installing AppSweep on your GitHub account allows AppSweep to report the results back to GitHub, and attach them to the pull request.
For installation follow this link: https://appsweep.guardsquare.com/settings/integrations/github
After clicking the link, you will be redirected to the installation process inside GitHub. If you belong to any organization, you will be asked if you would like to install AppSweep on your personal account or for organization use.
You will be asked to choose which GitHub repositories you would like to use AppSweep for. This permission allows AppSweep to access the chosen repositories.
After that just press the Install button.
On the GitHub integration page inside AppSweep, you can then verify the successful installation of the GitHub app. You should see a green checkmark next to your GitHub login:
Now you can choose a repository to link with AppSweep. This list contains the set of all previously selected repositories.
After selecting the repository a green checkmark will be visible next to its name, indicating that the GitHub App was successfully installed for this repository.
The integration with Github is complete. AppSweep is now able to post scan results back to GitHub.
β
Viewing AppSweep scan results in GitHub
After configuring the AppSweep Gradle plugin, the GitHub action workflow, and the GitHub App, the results of a scan are posted directly to your GitHub repository.
When creating a pull request, the action will schedule a scan of your application. Typically after a few minutes, the scan will be finished and the results of the scan will be visible in the pull request.
Immediately after the action triggers the Gradle task, you will see notifications that the checks are running.
In the Checks section you will find a summary of the detected issues.
To see the detailed findings for your scan, you can go directly to AppSweep by clicking View more details on AppSweep.
Note: The AppSweep GitHub App uses the commit hash to identify which commit the results should be attached to. Therefore, it is required to push this commit to GitHub before the analysis is finished. If the commit is not pushed yet, the results can still be viewed inside AppSweep.