This is the source repository to build the docker image to be used within GitLab CI. This image gives you the ability to integrate Ostorlab autonomous security testing for Android and iOS mobile apps to your build process.

Powered by static taint analysis, 3rd party dependencies fingerprinting and vulnerability analysis, dynamic instrumentation and novel backend scanning capabilities, Ostorlab leads the way providing the most advanced vulnerability detection capabilities.

To get more information visit us at https://www.ostorlab.co

1. Go to the API keys menu
2. Click the new button to generate a new key
3. Copy the API key (You can add a name and an expiry date to your key)
4. Click the save button to save your key

• OSTORLAB_API_KEY - Specifies your API key
• OSTORLAB_FILE_PATH - Specifies the path to the Android APK file or the iOS IPA file. This is mandatory if you are scanning a mobile application.
• OSTORLAB_URLS - Specifies the list of URLS to scan (separated by space). This is mandatory if you are scanning a Web application.
• OSTORLAB_PLATFORM - Specifies the platform. Possible values: android or ios or link.

• OSTORLAB_SCAN_PROFILE - Select the scan profile to run. You can choose between Fast Scan for rapid static analysis or Full Scan for full Static, Dynamic and Backend analysis.

• OSTORLAB_TITLE - Specifies the scan title

• OSTORLAB_RISK_THRESHOLD - Sets a risk rating threshold to break the pipeline if exceeded.

• OSTORLAB_MAX_WAIT_MINUTES - Specifies the number of minutes to wait. Default value: 30. It is applied only if OSTORLAB_RISK_THRESHOLD is set.

• OSTORLAB_SBOM_FILES - A space-separated list of paths to SBOM files.

• OSTORLAB_CREDENTIALS - A semicolon-separated list of credentials with each credential in the format login,password. For example: "user1,pass1;user2,pass2".

• OSTORLAB_CUSTOM_CREDENTIALS - A semicolon-separated list of custom credentials in the format name,value. For example: "api_token,12345;secret_key,67890"

• OSTORLAB_UI_PROMPT_NAMES - A semicolon-separated list of UI prompt names. For example: shop;profile;cart;settings. Each name corresponds by position to an action in OSTORLAB_UI_PROMPT_ACTIONS.

• OSTORLAB_UI_PROMPT_ACTIONS - A semicolon-separated list of UI prompt actions. For example: search for a product named "laptop" and add it to cart;open the profile tab and update email;review cart and proceed to checkout;open settings and enable notifications. Each action corresponds by position to a name in OSTORLAB_UI_PROMPT_NAMES.

• OSTORLAB_UI_PROMPT_IDS - A semicolon-separated list of UI prompt flow IDs to reuse existing prompt flows. For example: 123e4567-e89b-12d3-a456-426614174000;abcdef12-3456-7890-abcd-ef1234567890. You can use this in addition to or instead of the name/action variables. Multiple IDs can be provided.

  Note: The number of names and actions must match, and each name/action pair is positional. You can use both name/action and ID variables together.

• OSTORLAB_SCAN_PROFILE - Set the value to Full Web Scan for a Web scan.

• OSTORLAB_TITLE - Specifies the scan title

• OSTORLAB_RISK_THRESHOLD - Sets a risk rating threshold to break the pipeline if exceeded.

• OSTORLAB_MAX_WAIT_MINUTES - Specifies the number of minutes to wait. Default value: 30. It is applied only if OSTORLAB_RISK_THRESHOLD is set.

• OSTORLAB_SBOM_FILES - A space-separated list of paths to SBOM files.

• OSTORLAB_CREDENTIALS - A semicolon-separated list of credentials with each credential in the format login,password,role,url. For example: "user1,pass1,admin,https://example.com;user2,pass2,user,https://example.com". The role and url values are mandatory for the Web scans.

• OSTORLAB_CUSTOM_CREDENTIALS - A semicolon-separated list of custom credentials in the format name,value. For example: "api_token,12345;secret_key,67890"

• OSTORLAB_UI_PROMPT_NAMES - A semicolon-separated list of UI prompt names. For example: shop;profile;cart;settings. Each name corresponds by position to an action in OSTORLAB_UI_PROMPT_ACTIONS.

• OSTORLAB_UI_PROMPT_ACTIONS - A semicolon-separated list of UI prompt actions. For example: search for a product named "laptop" and add it to cart;open the profile tab and update email;review cart and proceed to checkout;open settings and enable notifications. Each action corresponds by position to a name in OSTORLAB_UI_PROMPT_NAMES.

  Note: The number of names and actions must match, and each name/action pair is positional.

• OSTORLAB_API_SCHEMA - The paths to the API schema file to be used for the scan.

• OSTORLAB_FILTERED_URL_REGEXES - A space-separated list of regular expressions to exclude URLs from the scan.

• OSTORLAB_PROXY - Specifies the proxy settings for the scan.

• OSTORLAB_QPS - Specifies queries per second limit for the scan

Example to use for your .gitlab-ci.yml to scan a Mobile application

stages:
  - build
  - test

build:
  stage: build
  script:
      - Pre steps to build
      - ./gradlew assembleDebug
  artifacts:
    paths:
    - app/build/outputs/

runScanOstorlab:
  stage: test
  image: ostorlab/gitlab-ci
  variables:
    OSTORLAB_FILE_PATH: app/build/outputs/apk/debug/app-debug.apk
    OSTORLAB_PLATFORM: android
  script:
    - run_ostorlab.sh

Example to use for your .gitlab-ci.yml to scan a Mobile application with test credentials and SBOM files

stages:
  - build
  - test

build:
  stage: build
  script:
      - Pre steps to build
      - ./gradlew assembleDebug
  artifacts:
    paths:
    - app/build/outputs/

runScanOstorlab:
  stage: test
  image: ostorlab/gitlab-ci
  variables:
    OSTORLAB_FILE_PATH: app/build/outputs/apk/debug/app-debug.apk
    OSTORLAB_PLATFORM: android
    OSTORLAB_CREDENTIALS: user1,pass1;user2,pass2
    OSTORLAB_SBOM_FILES: /path/to/sbom1.json /path/to/sbom2.json
    OSTORLAB_UI_PROMPT_NAMES: "shop;profile;cart;settings"
    OSTORLAB_UI_PROMPT_ACTIONS: "search for a product named 'laptop' and add it to cart;open the profile tab and update email;review cart and proceed to checkout;open settings and enable notifications"
    OSTORLAB_UI_PROMPT_IDS: "123;456"
  script:
    - run_ostorlab.sh

Example to use for your .gitlab-ci.yml to scan a Web application

stages:
  - build
  - test

build:
  stage: build
  script:
      - Pre steps to build
      - ./gradlew assembleDebug
  artifacts:
    paths:
    - app/build/outputs/

runScanOstorlab:
  stage: test
  image: ostorlab/gitlab-ci
  variables:
    OSTORLAB_URLS: https://example1.com https://example2.com
    OSTORLAB_PLATFORM: link
    OSTORLAB_SCAN_PROFILE: 'Full Web Scan'
    OSTORLAB_CREDENTIALS: user1,pass1,admin,https://example1.com;user2,pass2,user,https://example2.com
    OSTORLAB_SBOM_FILES: /path/to/sbom1.json /path/to/sbom2.json
    OSTORLAB_UI_PROMPT_NAMES: "shop;profile;cart;settings"
    OSTORLAB_UI_PROMPT_ACTIONS: "search for a product named 'laptop' and add it to cart;open the profile tab and update email;review cart and proceed to checkout;open settings and enable notifications"
    OSTORLAB_UI_PROMPT_IDS: "123;456"
  script:
    - run_ostorlab.sh

1. Select Settings option from your GitLab project.

2. Select CI/CD.

3. Select Variables section to add environment variables for your pipeline, e.g.

Select Settings option from your GitLab project and then jump to Variables section to add environment variables for your pipeline, e.g.

Once the job is done, if you choose to wait for the scan result and break if the risk rating is higher than the threshold, than the job might fail if its risk rating is equal or higher than the threshod. Otherwise, the job will succeed with a line indicating the scan risk rating