The Data Theorem Mobile App Security Plugin can be used to upload PreProd mobile binaries directly to Data Theorem for scanning during your CI/CD Jenkins pipeline.
...
- Retrieves the mobile app binary generated during the building steps.
- Calls the Data Theorem Upload API to upload the mobile app binary directly to Data Theorem for scanning.
Step By Step Guide
Add the plugin to your Jenkins
Update the plugin
| ||||||||||
Add your Upload API key to the Jenkins global configurationRetrieve your Upload API key using the Data Theorem portal at https://www.securetheorem.com/sdlc. The Upload API Key will be in the “API Key” section. Then, on the home page of your Jenkins instance, click on Credentials in the sidebar, and then navigate to System and click on Add credentials You will be able to create a Secret text credentials:
| ||||||||||
Add or update a Jenkins jobGo back to the home page of your Jenkins instance and open the configuration page of the job that is used as the CI/CD pipeline of your iOS or Android application: From the configuration page you will have to modify multiple sections:
| ||||||||||
Get access to your API KeyUse the Credential Binding Plugin to bind the API Key added in the previous step to an environment variable. The environment variable must be called: DATA_THEOREM_UPLOAD_API_KEY. | ||||||||||
Add your building stepsBuild your sources using the Build section. You need to generate a valid .apk/.ipa package during this step. | ||||||||||
Add your Data Theorem plugin to the jobThe Data Theorem plugin can be added from the Add post-build action list Configure the plugin by indicating the file name that will be generated on the Build To Upload field.This allows the plugin to retrieve the package and to upload it. Examples of Glob Pattern: app-*.apk : search for any apk starting with app- in workspace root directory Advanced section: You can simulate what file would be sent without actually uploading it to Data Theorem, by checking Don't Upload Build in the advanced options. Only builds that needed be analyzed by Data Theorem's mobile app security services should be sent. You can upload a mapping file using the Android Mapping File to have scan results deobfuscated.
Proxy Configuration section: If needed you can configure the plugin to hit your company proxy on the advanced option of Post-Build Actions. | Proxy Configuration section: Advanced section: | |||||||||
Start a new build to test the pluginYou can test that the plugin is correctly configured by starting a new build and then access the last build result. If the plugin works you should get the following console output: | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
Alternative way: use the Data Theorem plugin inside a DSL pipelineSince version 1.3.0, the jenkins plugin is compatible with DSL pipelines. After the different builds stages add a new stage: Upload Build To Data Theorem. You will have to set an environment variable with your secret upload api key using the command withCredentials() from the credential binding plugin
The plugin also support scripted pipeline integration, you will need to replace the DSL command with the following command: [$class :'SendBuildToDataTheoremPublisher', buildToUpload: '**/*.apk', mappingFileToUpload: null, dontUpload: false, dataTheoremUploadApiKey: env.DATA_THEOREM_UPLOAD_API_KEY, proxyHostname: '', proxyPort: 0, proxyUsername: '', proxyPassword: '', proxyUnsecuredConnection: false] |
|
...