February 24, 2022
Why integrate with Jenkins?
AppSweep allows developers to analyze their mobile app for potential security issues. This process can be automated by triggering the analysis from within your Continuous Integration (CI) pipeline with Jenkins. Doing so enables you to continuously scan your application for security issues, without any manual steps. AppSweep also provides an intuitive UI to drill down into the scan details to quickly navigate to the relevant findings for specific builds.
How to set up the AppSweep Jenkins Integration
In order to integrate with Jenkins, the following two things need to be set up:
- The AppSweep Gradle plugin needs to be set up for your app. This ensures apps are automatically uploaded for scanning.
- An AppSweep API Key needs to be set up for your project.
This tutorial will show you how to implement this logic in your Jenkins pipeline and how you can view the results.
Set up the AppSweep Gradle plugin
Our Gradle plugin is published in the Gradle Public Repository, and can thus be easily added to your Android project by adding the following to yourapp/build.gradle:
Note: the dynamic versionlatest.releaserequires at least Gradle 7. If you want to build with an older Gradle version, you need to specify a version number. The latest version number can be found in the Gradle Plugins Portal.
Next, you need to configure the plugin by providing an API key for your project. You can create an API key via your AppSweep project settings page.
The key can be easily tested locally with:
APPSWEEP_API_KEY=gs_appsweep_SOME_API_KEY ./gradlew uploadToAppSweepDebugIf you are using Git as a version control system, the AppSweep Gradle plugin attaches the commit hashes automatically to the scan. For other systems (like Mercurial or Subversion) or if you want further customization options please check our plugin documentation.
Automating the scanning process with a Jenkinsfile
When building and uploading your application into AppSweep, you need to add one new stage into your pipeline. This tutorial assumes that the proper environment (i.e. Android, Gradle, etc…) is already set up in your Jenkins pipeline and you have already stored the AppSweep API key as a Jenkins credential. It is also important to remember that the Gradle plugin will use the environment variable named APPSWEEP_API_KEY as the API key to associate your build with the project created in AppSweep.
The following snippet uploads the built APK to AppSweep automatically:
stages {
stage('Upload To AppSweep') {
steps {
dir(PROJECT_DIR) {
withCredentials([string(credentialsId: 'appsweep-api-key',
variable: 'appsweep_key')]) {
withEnv(["APPSWEEP_API_KEY=$appsweep_key"]){
sh(script: "./gradlew uploadToAppSweepDebug", returnStdout: true)
}
}
}
}
}
}If you wish to change it into the release build all you need to do is change the command into./gradlew uploadToAppSweepRelease.
View the results
After configuring the pipeline steps, your pipeline automatically uploads your application to AppSweep whenever it runs (e.g. for each commit, release, nightly test, etc…). In the AppSweep UI you will see all scans, chronologically ordered. Clicking on the most recent build allows you to explore the detailed results of your last pipeline execution.
Developers in your team no longer have to worry about manually uploading their app into AppSweep. Instead, they just have to trigger the pipeline and afterwards open up the corresponding AppSweep project. There they can immediately see which issues and vulnerabilities their app contains and easily fix them by applying the recommendations provided.
