The following steps allow organizations to automatically scan pre-production releases of their mobiles apps using Gitlab CI/CD
Quickstart guide
The Upload API can be used to upload PreProd mobile binaries directly to Data Theorem for scanning. The full documentation is available at: https://datatheorem.github.io/PortalApi/upload_api.html.
Step 1: retrieving the Upload API key
First, you will need to retrieve your organization's Upload API key from the portal, at https://www.securetheorem.com/sdlc/api_access within the “API Key” section:
Step 2: configuring an upload step in CI/CD
Gitlab CI/CD allows running bash command as a deploy step within the gitlab-ci.yml file. A new step should be added at the end of your existing mobile pipeline to upload the signed application binary (APK or IPA) to Data Theorem.
This new upload step requires:
- The Upload API key retrieved in step 1 to be available in the CI system via the DATA_THEOREM_UPLOAD_API_KEY environment variable.
- Define the path to the previously generated artifact as an environment variable or directly into the yaml step
You can create an environment variable if you are maintainer of the project by accessing project Settings → CI / CD → Variables
You should restrict DATA_THEOREM_UPLOAD_API_KEY access to protected branch only or at least mask the environment variable
The following gitlab CI step can then be used as the upload step:
deploy: # Deploy the generated apk to Data Theorem stage: deploy before_script: # jq will simplify extraction of the upload_url from the upload_init response - apt-get --quiet update --yes - apt-get --quiet install --yes jq script: # The plugin needs a valid customer API Key from Data Theorem. To find your API Key, you can connect to https://www.securetheorem.com/sdlc using your Data Theorem user account # You should store privately your API Key on gitlab: https://docs.gitlab.com/ee/ci/variables/ # Generate an upload link - export upload_url=$(curl -X POST -H "Authorization:APIKey $DATA_THEOREM_UPLOAD_API_KEY" --data "" https://api.securetheorem.com/uploadapi/v1/upload_init | jq -r ".upload_url") - echo $upload_url # Send the apk at the upload link - curl -F file=@<PATH_TO_YOUR_FILE> $upload_url
Once the CI/CD uploads are enabled, pre-production scans will be completed automatically. Please note:
- Scan alerts will still be sent when pre-production scans start and complete
- Public app store releases will still be scanned as well
- All results will be published to the portal (where pre-prod apps are labeled as “PreProd”)
Additional Resources
You can download a complete example here: https://gitlab.com/marcTranzer/test-upload/-/jobs.
This example runs tests on a simple android project, then build an apk and finally deploy it to Data Theorem Mobile.