AppSweep allows developers to analyze their mobile app for potential security issues. This process can be automated by triggering the analysis from within your Continuous Integration (CI) pipeline with Bitrise. For this, we have built a Bitrise step that will automatically fetch your built application and then upload it to AppSweep. Doing so enables you to continuously scan your application for security issues, without any manual steps. AppSweep also provides an intuitive UI to drill down into the scan details to quickly navigate to the relevant findings for specific builds.
Before diving into the integration with Bitrise, you should create an API key for your project. This can be easily done inside your project’s settings page in AppSweep. Once you have created such a key, save it for use in a later step of this tutorial.
In order to upload your application to AppSweep, you need to have our Gradle plugin installed in your app build. When using our Bitrise integration, the plugin is injected automatically into your Gradle configuration so you don’t have to worry about it as long as your project has a default structure. However, you can also install the Gradle plugin yourself using our documentation.
Automating the scan in your Bitrise workflow is fairly simple and straightforward. You start by adding the API Key you created for your project into Bitrise as a secret. To do this, you should go to your workflow, press edit, and then you should see on top a Secrets tab. Inside this tab, you add the previously generated key with a name of your own choice.
After the secrets are set up, you need to add our Bitrise step into your workflow. For this, you must go back to the Workflows tab and scroll to where you wish to scan your app (as long as it is built since AppSweep takes a built app) and press the + button. A window will pop up where you can search for appsweep to find our Bitrise step:
By clicking on it, the AppSweep scan step will be added to your pipeline and you’ll see the configurations for the step:
After configuring the AppSweep step you can rebuild the pipeline and your application will be automatically uploaded for scanning. The logs will contain the link for the AppSweep build. However, it is also possible to print this information to other platforms like Slack or send an email to the developers.
After configuring the pipeline steps, your pipeline automatically uploads your application to AppSweep whenever the pipeline is executed (e.g. for each commit, release, nightly test, etc…). In the AppSweep UI you will see all scans, chronologically ordered. Clicking on the most recent build allows you to explore the detailed results of your last pipeline execution.
Developers in your team will no longer have to worry about manually uploading their app into AppSweep. Instead, everytime the pipeline is triggered (i.e. a pull request) it will automatically upload your app to AppSweep for scanning. This way they can immediately see which issues and vulnerabilities their app contains and easily fix them by applying the provided recommendations.