Pre-Production Scans: Uploads via Gitlab

Owned by Marc Tranzer (Unlicensed)
Last updated: Aug 06, 2019 by Alban (Unlicensed)
2 min read


The following steps allow organizations to automatically scan pre-production releases of their mobiles apps using Gitlab CI/CD

Quickstart guide

The Upload API can be used to upload PreProd mobile binaries directly to Data Theorem for scanning. The full documentation is available at: https://datatheorem.github.io/PortalApi/upload_api.html.

Step 1: retrieving the Upload API key

First, you will need to retrieve your organization's Upload API key from the portal, at https://www.securetheorem.com/sdlc/api_access within the “API Key” section:

Step 2: configuring an upload step in CI/CD

Gitlab CI/CD allows running bash commands as a deploy step within the gitlab-ci.yml file. A new step should be added at the end of your existing mobile pipeline to upload the signed application binary (APK or IPA) to Data Theorem.

This new upload step requires:

  • The Upload API key retrieved in step 1 to be available in the CI system via the DATA_THEOREM_UPLOAD_API_KEY environment variable.
  • Define the  path to the previously generated artifact as an environment variable or directly into the yaml step

You can create an environment variable if you are maintainer of the project by accessing project Settings → CI / CD → Variables
You should restrict DATA_THEOREM_UPLOAD_API_KEY access to protected branch only or at least mask the environment variable

The following Gitlab CI step can then be used as the upload step:

deploy:
  # Deploy the generated apk to Data Theorem
  stage: deploy
  before_script:
  # jq will simplify extraction of the upload_url from the upload_init response
  - apt-get --quiet update --yes
  - apt-get --quiet install --yes jq
  script:
  # The plugin needs a valid customer API Key from Data Theorem. To find your API Key, you can connect to https://www.securetheorem.com/sdlc using your Data Theorem user account
  # You should store privately your API Key on gitlab: https://docs.gitlab.com/ee/ci/variables/ 

  # Generate an upload link 
  - export upload_url=$(curl -X POST -H "Authorization:APIKey $DATA_THEOREM_UPLOAD_API_KEY"  --data ""  https://api.securetheorem.com/uploadapi/v1/upload_init | jq -r ".upload_url")
  - echo $upload_url
  # Send the apk at the upload link
  - curl -F file=@<PATH_TO_YOUR_FILE> $upload_url

Once the CI/CD uploads are enabled, pre-production scans will be completed automatically. Please note:

  • Scan alerts will still be sent when pre-production scans start and complete
  • Public app store releases will still be scanned as well
  • All results will be published to the portal (where pre-prod apps are labeled as “PreProd”)

Additional Resources

You can download a complete example here: https://gitlab.com/datatheorem/ci-app-upload-example.
This example runs tests on a simple android project, then builds an APK, and then uploads it to Data Theorem Mobile.