All Collections
AppSweep Integrations
Integrating AppSweep with Jenkins to Scan Your Android App
Integrating AppSweep with Jenkins to Scan Your Android App
Updated over a week ago

Why integrate with Jenkins?

AppSweep allows developers to analyze their mobile app for potential security issues. This process can be automated by triggering the analysis from within your Continuous Integration (CI) pipeline with Jenkins. Doing so enables you to continuously scan your application for security issues, without any manual steps. AppSweep also provides an intuitive UI to drill down into the scan details to quickly navigate to the relevant findings for specific builds.

How to set up the AppSweep Jenkins Integration

In order to integrate with Jenkins, the following two things need to be set up:

  1. The AppSweep Gradle plugin needs to be set up for your mobile app. This ensures apps are automatically uploaded for scanning.

  2. An AppSweep API_KEY needs to be set up for your application in your team.

This tutorial will show you how to implement this logic in your Jenkins pipeline and how you can view the results.

Set up the AppSweep Gradle plugin

Our Gradle plugin is published in the Gradle Public Repository, and can thus be easily added to your Android project by adding the following to your app/build.gradle:

Screenshot from 2022-02-11 08-47-41

Note: the dynamic version latest.release requires at least Gradle 7. If you want to build with an older Gradle version, you need to specify a version number. The latest version number can be found in the Gradle Plugins Portal.

Next, you need to configure the plugin by providing an API key for your project. You can create an API key via your AppSweep application´s settings page.

The key can be easily tested locally with:

APPSWEEP_API_KEY=gs_appsweep_SOME_API_KEY ./gradlew uploadToAppSweepDebug

This schedules the app scan and provides the URL to view the results.

If you are using Git as a version control system, the AppSweep Gradle plugin attaches the commit hashes automatically to the scan. For other systems (like Mercurial or Subversion) or if you want further customization options please check our plugin documentation.

Automating the scanning process with a Jenkinsfile

When building and uploading your mobile application into AppSweep, you need to add one new stage into your pipeline. This tutorial assumes that the proper environment (i.e. Android, Gradle, etc…) is already set up in your Jenkins pipeline and you have already stored the AppSweep API key as a Jenkins credential. It is also important to remember that the Gradle plugin will use the environment variable named APPSWEEP_API_KEY as the API key to associate your build with the project created in AppSweep.

The following snippet uploads the built APK to AppSweep automatically:

stages {
stage('Upload To AppSweep') {
steps {
dir(PROJECT_DIR) {
withCredentials([string(credentialsId: 'appsweep-api-key',
variable: 'appsweep_key')]) {
withEnv(["APPSWEEP_API_KEY=$appsweep_key"]){
sh(script: "./gradlew uploadToAppSweepDebug",
returnStdout: true)
}
}
}
}
}
}

If you wish to change it into the release build all you need to do is change the command into ./gradlew uploadToAppSweepRelease.

View the results

After configuring the pipeline steps, your pipeline automatically uploads your mobile application to AppSweep whenever it runs (e.g. for each commit, release, nightly test, etc…). In the AppSweep UI you will see all scans, chronologically ordered. Clicking on the most recent build allows you to explore the detailed results of your last pipeline execution.

Screenshot from 2022-02-17 09-05-21

Developers in your team no longer have to worry about manually uploading their mobile app into AppSweep. Instead, they just have to trigger the pipeline and afterwards open up the corresponding AppSweep application. There they can immediately see which issues and vulnerabilities their app contains and easily fix them by applying the recommendations provided.

Did this answer your question?