The analysis of the application for potential security issues can be automated by triggering the analysis from within the Continuous Integration (CI) pipeline with Jenkins.
This guide explains how to integrate AppSweep with Jenkins.
Prerequisites
Make sure the guardsquare CLI is installed and can be used from the Jenkins step.
Installation can be done via
curl -fsSL https://platform.guardsquare.com/cli/install.sh | sh -s -- --yes
Depending on your Jenkins setup, there are various places where this installation can be done:
If your steps run in a docker agent, you can install the CLI directly in that docker image, or
you can install the CLI in the Jenkins step directly, or
you can install the CLI on the Jenkins machine.
Configure your Jenkins step to initiate the scan
Set up the proper environment (i.e. Android, Gradle, etc…) in your Jenkins pipeline.
Store the AppSweep API key as a Jenkins credential. The CLI will use the APPSWEEP_API_KEY environment variable to associate the build with your AppSweep project.
Add the following stage to your Jenkinsfile:
stages {
stage('Upload To AppSweep') {
steps {
dir(PROJECT_DIR) {
withCredentials([string(credentialsId: 'appsweep-api-key',
variable: 'appsweep_key')]) {
withEnv(["APPSWEEP_API_KEY=$appsweep_key"]){
sh(script: "guardsquare scan ./app/build/outputs/apk/debug/app-debug.apk --mapping_file ./app/build/outputs/mapping/debug/mapping.txt",
returnStdout: true)
}
}
}
}
}
}Note: the path to your app might be different, depending on your setup. Uploading the mapping file is optional, but will help you locate the findings much easier when R8 is enabled.
After configuring the pipeline steps, your pipeline automatically uploads your mobile application to AppSweep whenever it runs, e.g. for each commit, release, nightly test, etc.
In the AppSweep UI you will see all scans, chronologically ordered.