All Collections
AppSweep Integrations
Using Gradle to Automate your AppSweep Scans for Android Apps
Using Gradle to Automate your AppSweep Scans for Android Apps

Use the AppSweep Gradle Plugin to automatically upload your Android app during the build process

Updated over a week ago

โ„น๏ธ This AppSweep feature is only available for Android applications

Configuring the Plugin

The AppSweep plugin is published in the Gradle Public Repository, and can be easily added to your Android project by adding the following code block to your app/build.gradle.

plugins { 
id "com.guardsquare.appsweep" version "latest.release"
// Apply other plugins here

Important: Appsweep must run after Android and Dexguard plugins, by adding the Appsweep plugin below Android and Dexguard in the plugins section.

Also note: the dynamic version latest.release requires at least Gradle 7. If you want to build with an older Gradle version, you need to specify a version number.

Next, you need to configure the plugin by providing an API key for your project.

Creating an API Key

๐Ÿš€ You can create an API key in the API Keys section of your project settings.

This API key can then either be stored in the environment variable APPSWEEP_API_KEY, or by adding a appsweep block to your app/build.gradle.

Initiate the Scan

When the Gradle plugin is enabled and configured, some multiple uploadToAppSweep* Gradle tasks are registered.

More specifically, one task will be registered for each build variant of your app. For example, if you want to upload your release build variant, you can run:

gradle uploadToAppSweepRelease

in the root folder of your app.

Moreover, if you have obfuscation enabled for a specific build variant, the plugin will pick up the obfuscation mapping file and upload that alongside the app.

To see all available AppSweep tasks, use

gradle tasks --group=AppSweep

Further Configuration

In the appsweep-block in your app/build.gradle(.kts) file, you can make additional configurations.

API key

Instead of using the environment variable for the API key, you can also specify it in the appsweep-block:

appsweep { 
apiKey "gs_appsweep_SOME_API_KEY"


By default, the Gradle plugin will tag each uploaded build with the variant name (e.g. Debug or Release). Additionally it will add a Protected tag for builds uploaded using the uploadToAppSweep{variant}Protected tasks. You can override this behavior and set your own tags:

appsweep { 
apiKey "gs_appsweep_SOME_API_KEY"
configurations {
release {
tags "Public"

This will tag all builds of the release variant with Public.

Commit hash

By default, the Gradle plugin will keep track of the current commit hash. This will then be displayed along with your build results so you can easily identify which version was analyzed. By default the command git rev-parse HEAD is used to obtain this commit hash.

If you don't want to keep track of the commit hash, you can turn off this feature by specifying the addCommitHash option:

appsweep { 
apiKey "gs_appsweep_SOME_API_KEY"
addCommitHash false

You can also use an alternative command to retrieve the commit hash by overriding the commitHashCommand option:

appsweep { 
apiKey "gs_appsweep_SOME_API_KEY"
commitHashCommand "hg id -i"

The output of the command is attached to the newly created build, and will be shown in the results to identify that specific commit.

Task caching

By default, the upload tasks are cached and won't run if the app is unchanged.

If this is not the desired behavior you can disable the caching and guarantee the creation of a new scan every time an upload task is run (Android Studio might show a warning in this case, but it can be ignored):

appsweep {     
apiKey "gs_appsweep_SOME_API_KEY"
cacheTask false

Still questions? Contact us via the chat ๐Ÿ’ญ

Did this answer your question?