October 16, 2020

Securing the CI/CD pipeline in Pre-Production

Himanshu Dwivedi
By Himanshu Dwivedi

Data Theorem
api security app development application security appsec app security devops devsecops Full stack application security mobile app security security automation

A CI/CD pipeline automates your software delivery process. The pipeline builds code, runs tests (CI), and safely deploys a new version of the application (CD).

Automated pipelines remove manual errors, provide standardized feedback loops to developers, and enable fast product iterations to keep up with the modern pace of software development.

The following steps allow organizations to automatically scan pre-production releases of their mobiles apps using existing developer tools and processes. DevOps can fully automate the SDLC by integrating our API to existing CI/CD tools such as Travis CI, Jenkins, Bitrise, fastlane, Xcode server, etc.

Step 1: retrieving the Upload API key

First, you will need to retrieve your organization's Upload API key from the portal, at https://www.securetheorem.com/sdlc/api_access within the “API Key” section:

Step 2: configuring an upload step in CI/CD

Most CI/CD systems (Travis CI, Bitrise, CircleCI, etc.) allow running a bash script as a step within the CI pipeline. A new step should be added at the end of your existing mobile pipeline to upload the signed application binary (APK or IPA) to Data Theorem.

This new upload step requires:

  • The Upload API key retrieved in step 1 to be available in the CI system via the 

    DT_UPLOAD_API_KEY

     

    environment variable.

  • The path to the compiled and signed mobile binary to be available in the CI system via the

     

    SIGNED_BINARY_PATH

     

    environment variable.

The following bash script can then be used as the upload step:

Once the CI/CD uploads are enabled, pre-production scans will be completed automatically. Please note:

  • Scan alerts will still be sent when pre-production scans start and complete

  • Public app store releases will still be scanned as well

  • All results will be published to the portal (where pre-prod apps are labeled as “PreProd”)

Ready to automate security on your CI/CD pipeline?

Tweet Like Share
Top Tags
application security app development mobile app security appsec app security apple app store devops api security security automation devsecops security app store blockers High risk libraries SDKs Full stack application security web application security web app security privacy information security cloud security cloud


Recent Posts
Alban Diquet
What is "Stored" Log4Shell ?
By Alban Diquet
December 22, 2021
Himanshu Dwivedi
Mobile Apps and their SDKs
By Himanshu Dwivedi
November 6, 2020
Himanshu Dwivedi
Securing the CI/CD pipeline in Pre-Production
By Himanshu Dwivedi
October 16, 2020
Felicia Haggarty
Why Are APIs Important?
By Felicia Haggarty
September 17, 2020
Himanshu Dwivedi
Denied by Apple & Google
By Himanshu Dwivedi
September 8, 2020
Phillip Tennen
Ensuring Data Protection is Properly Enabled in Your iOS App
By Phillip Tennen
March 31, 2020
Phillip Tennen
Proactive iOS App Security Measures for 2020
By Phillip Tennen
January 16, 2020
Himanshu Dwivedi
Concerned About App Safety? 3 Tips for Protecting Privacy
By Himanshu Dwivedi
November 21, 2019
Felicia Haggarty
Lessons From the Trenches: Mobile AppSec Program
By Felicia Haggarty
October 31, 2019
Himanshu Dwivedi
Mobile App Security: App Store vs. Google Play
By Himanshu Dwivedi
September 30, 2019
Alban Diquet
Serverless versus Containers: A Real-World Case Study of Building a Microservice
By Alban Diquet
August 30, 2019

Security for DevOps: Enterprise Survey Report

ESG Analyst Report

ESG surveyed 371 IT and cybersecurity professionals with responsibility for cloud programs to weigh in on security.

Get the Report