Skip to main content
All CollectionsIntegrations & Automation
Using Gradle to Automate your AppSweep Scans for Android Apps
Using Gradle to Automate your AppSweep Scans for Android Apps

Use the AppSweep Gradle Plugin to automatically upload your Android app during the build process

Updated yesterday

ℹ️ This AppSweep feature is only available for Android applications.

ℹ️ The AppSweep Gradle plugin is only compatible with Gradle versions below 8.7.

Configure AppSweep Gradle plugin

To use the plugin, add the following to your app/build.gradle:

plugins { 
  id "com.guardsquare.appsweep" version "latest.release" 
  // Apply other plugins here 
}

Important: put the Appsweep plugin below Android and Dexguard in the plugins section.

Note: the dynamic version latest.release requires at least Gradle 7. If you want to build with an older Gradle version, you need to specify a version number. The latest version number can be found in the Gradle Plugins Portal.

Creating an API Key

Create an API key via your AppSweep application's settings page.

The key can be tested locally with:

APPSWEEP_API_KEY=gs_appsweep_YOUR_API_KEY ./gradlew uploadToAppSweepDebug

This schedules the app scan and provides the URL to view the results.

The AppSweep Gradle plugin attaches Git commit hashes automatically to the scan. For other version control systems and further customization options refer to plugin documentation.

Initiate the Scan

When the Gradle plugin is enabled and configured, one uploadToAppSweep* Gradle task will be registered for each build variant of your app.

For example, if you want to upload your release build variant, you can run the following in the root folder of your app.

gradle uploadToAppSweepRelease

Note: If obfuscation is enabled for a specific build variant, the plugin will pick up the obfuscation mapping file and upload it alongside the app.

To see all available AppSweep tasks, run

gradle tasks --group=AppSweep

Further Configuration

In the appsweep-block in your app/build.gradle(.kts) file, you can make additional configurations.

API key

Instead of using the environment variable for the API key, you can also specify it in the appsweep-block:

appsweep { 
    apiKey "gs_appsweep_SOME_API_KEY" 
}

Tags

By default, the Gradle plugin will tag each uploaded build with the variant name (e.g. Debug or Release). Additionally it will add a Protected tag for builds uploaded using the uploadToAppSweep{variant}Protected tasks. You can override this behavior and set your own tags:

appsweep { 
    apiKey "gs_appsweep_SOME_API_KEY" 
    configurations { 
        release { 
            tags "Public" 
        } 
    } 
}

This will tag all builds of the release variant with Public.

Commit hash

By default, the Gradle plugin will keep track of the current commit hash. This will then be displayed along with your build results so you can easily identify which version was analyzed. By default the command git rev-parse HEAD is used to obtain this commit hash.

To turn off commit hash tracking set the addCommitHash option to false:

appsweep { 
    apiKey "gs_appsweep_SOME_API_KEY"
    addCommitHash false
}

If needed, the commitHashCommand option can be overridden:

appsweep { 
    apiKey "gs_appsweep_SOME_API_KEY"
    commitHashCommand "hg id -i"
}

The output of the command is attached to the newly created build, and will be shown in the results to identify that specific commit.

Task caching

By default, the upload tasks are cached and won't run if the app is unchanged.

To disable the caching and guarantee the creation of a new scan every time an upload task is run set the cacheTask option to false:

appsweep {     
    apiKey "gs_appsweep_SOME_API_KEY"     
    cacheTask false 
}
Did this answer your question?