Quickstart guide
This article describes how to configure a Bitbucket pipeline to automatically upload mobile app binaries to Data Theorem for scanning.
To automatically upload a mobile binary from a Bitbucket pipeline, a new step should be added at the end of your existing pipeline to upload the signed application binary (APK or IPA) to Data Theorem.
Note: if your project does not yet have a pipeline, please refer to Bitbucket’s documentation on how to create one to build your application, before continuing with this guide
Step 1: retrieving the Upload API key
First, you will need to retrieve your organization's Upload API key from the portal, at https://www.securetheorem.com/sdlc/api_access within the “API Key” section:
Step 2: adding the Upload API key as an environment variable
Add your Upload API key retrieved in step 1 as a secure environment variable called DT_UPLOAD_API_KEY in your repository’s variables:
Step 3: defining an artifact for an existing pipeline step
In order to upload a mobile binary, it must first be defined as an artifact in one of your pipeline’s steps inside your project’s bitbucket-pipelines.yml
.
To do this, add an artifacts
section (if it is not already present) to the step responsible for building the artifact, and specify the path to the APK or IPA for upload.
For example, in your bitbucket-pipelines.yml
file, for an existing step like the following that builds an apk:
- step: name: 'Build app' script: - ./gradlew assembleRelease - ...
we should add the following lines to define the apk artifact built by this step:
artifacts: - build/app/outputs/apk/release/app-release.apk
The final result would be:
- step: name: 'Build app' script: - ./gradlew assembleRelease - ... artifacts: - build/app/outputs/apk/release/app-release.apk
Step 4: add a step to upload the binary to Data Theorem
Add the following step to your pipeline following the previous one responsible for building the artifact:
image: curlimages/curl script: - SIGNED_BINARY_PATH=/path/to/signed/binary - - for i in {1..3}; do - # Step 1: get the upload URL - echo "Get upload url" - >- step1_response=$(curl -s -w "%{http_code}" -X POST -H "Authorization: APIKey ${DT_UPLOAD_API_KEY}" --data "" https://api.securetheorem.com/uploadapi/v1/upload_init) - >- http_code=${step1_response: -3} - response_body=${step1_response::-3} - - # Check that http status code is 200 - >- [ ! ${http_code} -eq 200 ] && echo ${response_body} && exit 1 - upload_url=$(echo ${response_body} | cut -d '"' -f4) - echo ${upload_url} - - # Step 2: upload the APK - echo "Upload app" - curl --fail-with-body -i -F file=@${SIGNED_BINARY_PATH} ${upload_url} - done
Note that the value of SIGNED_BINARY_PATH
should be replaced with the path of the artifact defined in the previous step. In the above example that would be build/app/outputs/apk/release/app-release.apk
.
Step 5: save and deploy
Save and commit the changes to bitbucket-pipelines.yml
. The pipeline is now ready. Once the CI/CD uploads are completed, pre-production scans will be run automatically. Please note:
Scan alerts will still be sent when pre-production scans start and complete
Public app store releases will still be scanned as well
All results will be published to the portal (where pre-prod apps are labeled as “PreProd”)