View Source

First, get your Data Theorem Upload API Key by according to step 1 on this page: Pre-Production Scans: Uploads via CI/CD
A new step should be added at the end of your existing mobile pipeline to upload the signed application binary (APK or IPA) to Data Theorem.

This new step requires:

The Upload API key retrieved in step 1 to be available in the CI system via the DT_UPLOAD_API_KEY environment variable.
This API key is sensitive, please see Buildkite’s official documentation on Managing pipeline secrets
The path to the compiled and signed mobile binary to be available in the CI system via the SIGNED_BINARY_PATH environment variable.

Here is a sample Buildkite pipeline that uploads a Mobile App Binary to Data Theorem for scanning after a build step:

env:
  SIGNED_BINARY_PATH: "app-debug.apk"
steps:
  - label: "Build Mobile App Binary"
    command: "echo 'Example monile binary build step...'"
  - label: "Upload Mobile App Binary to Data Theorem for scanning"
    command: "
      echo 'Get upload url';
      step1_response=$(curl -s -w '%{http_code}' -X POST -H \"Authorization: APIKey \\$DT_UPLOAD_API_KEY\"  --data ''  https://api.securetheorem.com/uploadapi/v1/upload_init);
      http_code=\\${step1_response: -3};
      response_body=\\${step1_response::-3};
      [ ! \\${http_code} -eq 200 ] && echo \\${response_body} && exit 1;
      upload_url=\\$(echo \\${response_body} | jq -r \".upload_url\");
      echo \\$upload_url;
      
      echo 'Upload app';
      step2_response=$(curl --fail-with-body -F file=@${SIGNED_BINARY_PATH} \\${upload_url}) && echo \\$step2_response;
      "

In the Buildkite UI, it should look like this:

Public Knowledge Base > Pre-Production Scans: Uploads via Buildkite > buildkite-mobile-secure-sample-pipeline*.png

After running the step, you should get an output like this

Public Knowledge Base > Pre-Production Scans: Uploads via Buildkite > buildkite-mobile-secure-sample-output.png

Once the CI/CD uploads are enabled, pre-production scans will be completed automatically. Please note:

Scan alerts will still be sent when pre-production scans start and complete
- Public app store releases will still be scanned as well
- All results will be published to the portal (where pre-prod apps are labeled as “PreProd”)

Optional inputs:

Some additional inputs can be added along with the binary upload, such as credentials for dynamic scanning.
See documentation at: Pre-Production Scans: Uploads via CI/CD