The following steps allow organizations to automatically scan pre-production releases of their mobiles mobile apps using existing developer tools and processes. DevOps can fully automate the SDLC by integrating our API to existing CI/CD tools such as Travis CI, Jenkins, Bitrise, fastlaneFastlane, Xcode server, etc.
Quickstart guide
The Upload API can be used to upload PreProd mobile binaries directly to Data Theorem for scanning. The full documentation is available at: https://datatheorem.github.io/PortalApi/upload_api.html.
Step 1:
...
Retrieving the Upload API key
First, you will need to retrieve your organization's Upload API key from the portal, at https://www.securetheorem.com/sdlc within the “API Key” section:/devsecops/v2/scancicdat the top of the page:
Step 2:
...
Configuring an upload step in CI/CD
Most CI/CD systems (Travis CI, Bitrise, CircleCI, etc.) allow running a bash script as a step within the CI pipeline. A new step should be added at the end of your existing mobile pipeline to upload the signed application binary (APK or IPA) to Data Theorem.
...
The following bash script can then be used as the upload step:
Code Block | ||
---|---|---|
| ||
#!/usr/bin/env bash # Fail if any commands fails set -eex maxRetries=3 for (( retry = 0; retry < maxRetries; retry++ )) do # Step 1: get the upload URL echo "Get upload url" step1_response=$(curl -s -w "%{http_code}" -X POST -H "Authorization: BearerAPIKey ${DT_UPLOAD_API_KEY}" --data "" https://api.securetheorem.com/uploadapi/v1/upload_init) http_code=${step1_response: -3} response_body=${step1_response::-3} # For older versions of bash e.g. GNU upload_url=$(echo bash, version 3.2.57(1)-release (x86_64-apple-darwin21) # response_body=${step1_response%???} # http_code=${step1_response#${response_body}} | cut -f 3 -d" " | tr -d '"') # Check that http status code is 200 [ ! ${http_code} -eq 200 ] && echo ${response_body} && exit 1 upload_url=$(echo ${response_body} | jq -r ".upload_url") echo ${upload_url} # Step 2: upload the APK echo "Upload app" step2_response=$(curl -F file=@${SIGNED_BINARY_PATH} ${upload_url}) && echo ${step2_response} && break done if [ ${retry} --retry 3)ge ${maxRetries} ]; then echo "Upload failed after ${maxRetries} attempts" exit 1 fi |
It is possible to specify optional data elements with the submission. Optional parameters include
- test credentials (username and password) to be used during the dynamic analysis of the application
- release_id and external_id to help you identify this application and build
- platform variant for iOS applications
- and more
For more information on the available optional data elements, please see the Upload API documentation. You can add one or more -F "key=value" blocks to the curl command used in Step 2. For example, if you would like to submit test credentials for dynamic testing and the external id of the app, you can modify the Step 2 curl command as follows, while keeping the rest of the script unchanged.
step2_response=$(curl -F file=@${SIGNED_BINARY_PATH} -F "username=test" -F "password=${TEST_PASSWORD}" -F "external_id=12345" ${upload_url}) && echo ${step2_response} && break
Once the CI/CD uploads are enabled, pre-production scans will be completed automatically. Please note:
- Scan alerts will still be sent when pre-production scans start and complete
- Public app store releases will still be scanned as well
- All results will be published to the portal (where pre-prod apps are labeled as “PreProd”)
Additional Resources
More detailed guides are available for specific CI/CD systems: