โน๏ธ This AppSweep feature is only available for Android applications
Configuring the Plugin
The AppSweep plugin is published in the Gradle Public Repository, and can be easily added to your Android project by adding the following code block to your app/build.gradle.
plugins {
id "com.guardsquare.appsweep" version "latest.release"
// Apply other plugins here
}Important: Appsweep must run after Android and Dexguard plugins, by adding the Appsweep plugin below Android and Dexguard in the plugins section.
Also note: the dynamic version latest.release requires at least Gradle 7. If you want to build with an older Gradle version, you need to specify a version number.
Next, you need to configure the plugin by providing an API key for your project.
Creating an API Key
๐ You can create an API key in the API Keys section of your project settings.
This API key can then either be stored in the environment variable APPSWEEP_API_KEY, or by adding a appsweep block to your app/build.gradle.
Initiate the Scan
When the Gradle plugin is enabled and configured, some multiple uploadToAppSweep* Gradle tasks are registered.
More specifically, one task will be registered for each build variant of your app. For example, if you want to upload your release build variant, you can run:
gradle uploadToAppSweepRelease
in the root folder of your app.
Moreover, if you have obfuscation enabled for a specific build variant, the plugin will pick up the obfuscation mapping file and upload that alongside the app.
To see all available AppSweep tasks, use
gradle tasks --group=AppSweep
Further Configuration
In the appsweep-block in your app/build.gradle(.kts) file, you can make additional configurations.
API key
Instead of using the environment variable for the API key, you can also specify it in the appsweep-block:
appsweep {
apiKey "gs_appsweep_SOME_API_KEY"
}
Tags
By default, the Gradle plugin will tag each uploaded build with the variant name (e.g. Debug or Release). Additionally it will add a Protected tag for builds uploaded using the uploadToAppSweep{variant}Protected tasks. You can override this behavior and set your own tags:
appsweep {
apiKey "gs_appsweep_SOME_API_KEY"
configurations {
release {
tags "Public"
}
}
}
This will tag all builds of the release variant with Public.
Commit hash
By default, the Gradle plugin will keep track of the current commit hash. This will then be displayed along with your build results so you can easily identify which version was analyzed. By default the command git rev-parse HEAD is used to obtain this commit hash.
If you don't want to keep track of the commit hash, you can turn off this feature by specifying the addCommitHash option:
appsweep {
apiKey "gs_appsweep_SOME_API_KEY"
addCommitHash false
}You can also use an alternative command to retrieve the commit hash by overriding the commitHashCommand option:
appsweep {
apiKey "gs_appsweep_SOME_API_KEY"
commitHashCommand "hg id -i"
}The output of the command is attached to the newly created build, and will be shown in the results to identify that specific commit.
Task caching
By default, the upload tasks are cached and won't run if the app is unchanged.
If this is not the desired behavior you can disable the caching and guarantee the creation of a new scan every time an upload task is run (Android Studio might show a warning in this case, but it can be ignored):
appsweep {
apiKey "gs_appsweep_SOME_API_KEY"
cacheTask false
}Still questions? Contact us via the chat ๐ญ