Pre-Production Scans: Uploads via Buildkite

Demo video

datatheorem_mobile_secure_buildkite_plugin.mp4

datatheorem/data-theorem-mobile-secure Buildkite plugin:

steps:
  - label: "Build Mobile App Binary"
    # replace this step with your own logix to build the pre-prod mobile binary that you want to scan
    command: "echo 'Example mobile binary build step...'"

  - label: "Upload Mobile App Binary to Data Theorem for scanning"
    plugins:
      - datatheorem/data-theorem-mobile-secure:
          UPLOAD_API_KEY: $(buildkite-agent secret get DT_UPLOAD_API_KEY)
          SIGNED_BINARY_PATH: "app-debug.apk" # path to the pre-prod mobile binary built in the previous step

See https://github.com/datatheorem/data-theorem-mobile-secure-buildkite-plugin for more details on how to use the plugin

Manual setup:

First, get your Data Theorem Upload API Key by according to step 1 on this page: Pre-Production Scans: Uploads via CI/CD
A new step should be added at the end of your existing mobile pipeline to upload the signed application binary (APK or IPA) to Data Theorem.

This new step requires:

The Upload API key retrieved in step 1 to be available in the CI system via the DT_UPLOAD_API_KEY environment variable.
This API key is sensitive, please see Buildkite’s official documentation on Managing pipeline secrets
The path to the compiled and signed mobile binary to be available in the CI system via the SIGNED_BINARY_PATH environment variable.

Here is a sample Buildkite pipeline that uploads a Mobile App Binary to Data Theorem for scanning after a build step:

env:
  SIGNED_BINARY_PATH: "app-debug.apk"
steps:
  - label: "Build Mobile App Binary"
    command: "echo 'Example monile binary build step...'"
  - label: "Upload Mobile App Binary to Data Theorem for scanning"
    command: "
      echo 'Get upload url';
      step1_response=$(curl -s -w '%{http_code}' -X POST -H \"Authorization: APIKey \\$DT_UPLOAD_API_KEY\"  --data ''  https://api.securetheorem.com/uploadapi/v1/upload_init);
      http_code=\\${step1_response: -3};
      response_body=\\${step1_response::-3};
      [ ! \\${http_code} -eq 200 ] && echo \\${response_body} && exit 1;
      upload_url=\\$(echo \\${response_body} | jq -r \".upload_url\");
      echo \\$upload_url;
      
      echo 'Upload app';
      step2_response=$(curl --fail-with-body -F file=@${SIGNED_BINARY_PATH} \\${upload_url}) && echo \\$step2_response;
      "

In the Buildkite UI, it should look like this:

After running the step, you should get an output like this

Once the CI/CD uploads are enabled, pre-production scans will be completed automatically. Please note:

Scan alerts will still be sent when pre-production scans start and complete
- Public app store releases will still be scanned as well
- All results will be published to the portal (where pre-prod apps are labeled as “PreProd”)

Optional inputs:

Some additional inputs can be added along with the mobile app binary upload, such as credentials for dynamic scanning.
See documentation at: Pre-Production Scans: Uploads via CI/CD