February 23, 2022

    Integrating AppSweep and GitHub to Automate Your Mobile App Security Testing

    Why integrate with GitHub?

    Integrating AppSweep, Guardsquare’s mobile application security testing tool, with GitHub allows developers to automatically analyze their mobile app for potential security issues. AppSweep can detect potential issues like insecure communication, poor cryptography, and more.

    By automating your mobile testing process, security testing is automatically triggered from within your Continuous Integration pipeline, and your team can quickly see links to your scan results directly attached to a pull request. This ensures you have instant, actionable feedback to improve the security posture of your mobile application.

    How to set up the AppSweep GitHub Integration

    In order to integrate with GitHub three things need to be set up:

    1. The AppSweep Gradle plugin needs to be used to build your app. This ensures apps are automatically uploaded for scanning.
    2. The AppSweep GitHub App needs to be installed on your GitHub account, which enables automated triggering of the app scan.
    3. The AppSweep App will need GitHub repository access enabled for AppSweep to post the results summary back.

    Setting up the AppSweep Gradle plugin

    Our AppSweep plugin is published in the Gradle Public Repository, and can be easily added to your Android project by adding the following to yourapp/build.gradle:

    Screenshot from 2022-02-11 08-47-41

    Note: the dynamic versionlatest.releaserequires at least Gradle 7. If you want to build with an older Gradle version, you need to specify a version number. The latest version number can be found in the Gradle Plugins Portal.

    Next, you need to configure the plugin by providing an API key for your project. You can create an API key in the API Keys section of your project settings on the AppSweep website.

    Screenshot from 2021-12-14 12-47-07

    The key can be easily tested locally with:

    APPSWEEP_API_KEY=gs_appsweep_SOME_API_KEY ./gradlew uploadToAppSweepDebug
    This schedules the app scan and shows the URL where to look for the results.

    AppSweep uses commit hashes in order to associate pull requests on GitHub to app scans. By using our AppSweep Gradle plugin, the commit hashes are automatically attached to the scan.

    There are more advanced configuration options for the Gradle plugin which are explained on  https://github.com/Guardsquare/appsweep-gradle.

     

    Automating the scanning process with a GitHub action workflow

    In order to automate the process, it is possible to use a simple GitHub action. The following action will trigger the AppSweep scan on each pull request to the branch with the workflow.

    .github/workflows/github-action-appsweep.yml
    name: AppSweep mobile application security testing
    on: [pull_request_target]
    jobs:
      upload-app-to-appsweep:
        runs-on: ubuntu-latest
        steps:
          - name: Check out repository code
            uses: actions/checkout@v2
                    
          - name: Upload app to AppSweep with Gradle
            env:
                APPSWEEP_API_KEY: $
            run: ./gradlew uploadToAppSweepRelease
    
    To not store the API key directly in your code, you should set a GitHub secretAPPSWEEP_API_KEYwhich will be picked up by the Gradle plugin.

    Reminder: The presented GitHub action is using the pull_request_target event which will be triggered if anyone creates a push request to the branch. For example, the presented workflow can be stored on the master; then, if someone makes a pull request, the workflow will be triggered. The pull_request_target event allows for GitHub secret access, which allows it to securely store API keys.

    Install the AppSweep App on your GitHub account

    Installing AppSweep on your GitHub account allows AppSweep to report the results back to GitHub, and attach them to the pull request. Installing it is very easy.

    Simply follow this link: https://appsweep.guardsquare.com/settings/integrations/github

    Screenshot from 2021-11-08 14-57-34

    After clicking the installation link, you will be redirected to the installation process inside GitHub. If you belong to any organization then you will be asked if you would like to install AppSweep on your personal account or for organization use.

    You will be asked to choose which GitHub repositories you would like to use AppSweep for. This permission allows AppSweep to access the chosen repositories (you will be asked to select one of the chosen repositories in the next step).

    After that just press the Install button.

    AppSweep-GH inatallation

    On the GitHub integration page inside AppSweep, you can then verify the successful installation of the GitHub app. You should see a green checkmark next to your GitHub login:

    Screenshot from 2021-11-08 15-23-48

    Now you can choose a repository to link with AppSweep. This list contains the set of all previously selected repositories.

    Screenshot from 2021-11-05 13-12-21

    After selecting the repository a green checkmark will be visible next to its name, indicating that the GitHub App was successfully installed for this repository.

    scan_completed

    Screenshot from 2021-11-05 13-09-26

    The integration with Github is complete. AppSweep is now able to post scan results back to GitHub.

    To fully automate this, you will now need to set up the Gradle plugin.

    Viewing AppSweep scan results in GitHub

    After configuring the AppSweep Gradle plugin, the GitHub action workflow, and the GitHub App, the results of a scan are posted directly to your GitHub repository. After creating a pull request, the action will schedule a scan of your application. Typically after a few minutes, the scan will be finished and the results of the scan will be visible in the pull request.

    ! It is essential that the pull request is created before the Gradle AppSweep task is executed. Otherwise, the result will not be attached to the pull request. !

    Immediately after the action triggers the Gradle task, you will see notifications that the checks are running:

    scan_in_progress

    Once it is finished, the display on GitHub is updated:

    github_action

    Entering the Details, you can see the details of the scan and a summary describing the detected issues in the Checks section.

    Screenshot from 2021-11-05 14-02-29-1

    To see the detailed findings for your scan, you can go directly to AppSweep by clicking View more details on AppSweep:

    Screenshot from 2021-11-17 11-36-53

    Reminder: The AppSweep GitHub App uses the commit hash to identify which commit the results should be attached to. Therefore, it is required to push this commit to GitHub before the analysis is finished. If the commit is not pushed yet, the results can still be viewed inside AppSweep.

    Release your app with confidence

    After completing these steps, you are now able to integrate AppSweep with GitHub, allowing you to access the results of an AppSweep scan on GitHub. By using the GitHub action, the workflow can be fully automated, and can be triggered during each pull request.

    Implementing this automated workflow will help you identify new risks in your app even before they are merged into the main codebase, ensuring you identify security risks early in the development process. By following the actionable recommendations AppSweep provides to fix the issues, you can quickly address potential security risks and release your app with confidence.

    Izabela Perenc - Software Engineer

    Find and fix security issues in your Android app’s code and dependencies with AppSweep.

    Scan your app for free >

    Other posts you might be interested in