Skip to content

Ostorlab Github Actions to complement your CI/CD with Security Testing.

License

Notifications You must be signed in to change notification settings

Ostorlab/ostorlab_actions

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

46 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Ostorlab Github Action

Ostorlab ci_can for GithubAction

Ostorlab scans mobile applications (Android APK, AAB, iOS IPA) for security and privacy issues. It provides full coverage by detecting issues on both the client-side and service-side, covering both the application code and all of its dependencies.

Ostorlab supports all major frameworks, both native and multi-platform. This includes Java, Kotlin, Objective C, Swift, Flutter, Cordova, React Native, Ionic and Xamarin.

Ostorlab provides both static and dynamic analysis capabilities, detecting over 500 vulnerability classes, like hardcoded secrets, privacy data leakage, untrusted input inject, outdated dependencies with a database of over 120k known vulnerable dependency.

Getting Started

To use Ostorlab Github Action, the first step is to generate an API key. To do so, simply follow the following steps:

  1. Go to the API keys menu
  2. Click the new button to generate a new key
  3. Copy the api key (You can add a name and an expiry date to your key)
  4. Click the save button to save your key (You can add a name and an expiry date to your key), do not forget to click the save button to save your key.

api key

Once you have generated your API, add it to GitHub Secrets. Make sure the name matches the secrets. in the YAML file. You follow these steps for more detailed instructions Github:Creating encrypted secrets for a repository

The next steps is to a update your workflow to add an Ostorlab step to trigger the scan. Below is a sample performing a rapid scan on an Android APK and failing the pipeline on vulnerabilities with HIGH severity.

on: [push]
jobs:
  ostorlab_test:
    runs-on: ubuntu-latest
    name: Test ostorlab ci actions.
    steps:
      - uses: actions/checkout@v2
      - name: build ostorlab.apk
        run: mv InsecureBankv2.apk ostorlab.apk
      - name: Launch Ostorlab scan
        id: start_scan
        uses: Ostorlab/[email protected]
        with:
          scan_profile: fast_scan # Specify which scan profile to use for the scan (check scan section).
          asset_type: android-apk # type of asset to scan.
          target: ostorlab.apk # path for target tto scan.
          scan_title: title_scan_ci # type a title for your scan.
          ostorlab_api_key: ${{ secrets.ostorlab_api_key }} # your secret api key.
          break_on_risk_rating: HIGH # Wait for the scan results and force the action to fail if the scan risk is higher
          max_wait_minutes: 30
      - name: Get scan id
        run: echo "Scan Created with id ${{ steps.start_scan.outputs.scan_id }} you can access the full report at https://report.ostorlab.co/scan/${{ steps.start_scan.outputs.scan_id }}/"

Sbom/Lock Files

You can supply your SBOM/Lock files to enhance the scan analysis, to do so use the extra input to pass --sbom***, for example to add package-lock.json file use the following example:

extra:  --sbom package-lock.json

Here you can see the list of the supported files:

  • buildscript-gradle.lockfile
  • Cargo.lock,
  • composer.lock,
  • conan.lock,
  • Gemfile.lock,
  • go.mod,
  • gradle.lockfile,
  • mix.lock,
  • Pipfile.lock,
  • package-lock.json,
  • packages.lock.json,
  • pnpm-lock.yaml,
  • poetry.lock,
  • pom.xml,
  • pubspec.lock,
  • requirements.txt,
  • yarn.lock,

Test Credentials

Ostorlab supports performing authenticated testing with either simple login password or custom inputs identified with name/label and passing value.

To pass test credentials, since the Github YAML Action do not support passing complex objects, you can use the extra input to pass --test-credetials-***. For instance to add login/password and a custom credentials with custom names and values, add the following input:

extra: --test-credentials-login test_login --test-credentials-password test_pass --test-credentials-role ci_role --test-credentials-name foo1 --test-credentials-value bar1 --test-credentials-name foo2 --test-credentials-value bar2

Action inputs

The Github actions the following options:

  • scan_profile (['fast_scan', 'full_scan']): [Required] - Specifies the scan profile ( fast_scan for fast static only analysis and full_scan for full static, dynamic and backend coverage).
  • asset_type (['android-apk', 'android-aab', 'ios-ipa']): [Required] - Target asset, Ostorlab supports APK, AAB and IPA.
  • target: [Required] - target file to scan.
  • ostorlab_api_key: [Required] - API Key from Ostorlab portal.
  • scan_title: [Optional] - A scan title to identify your scan.
  • break_on_risk_rating (['HIGH', 'MEDIUM', 'LOW','POTENTIALLY]): [Optional] - Wait for the scan results and force the action to fail if the risk rating match or is higher than the provided value.
  • max_wait_minutes: [Optional] - Max wait time in minutes, pipeline will not fail if the scan times out.
  • extra: [Optional] - Extra argument flags to pass to the Ostorlab ci-scan CLI. Common use case is passing the scan test credentials.

Action outputs

  • scan_id - The scan id is accessible using the following syntax ${{ steps.STEP_ID.outputs.scan_id }}.

More details

About

Ostorlab Github Actions to complement your CI/CD with Security Testing.

Resources

License

Stars

Watchers

Forks

Packages

No packages published