CI/CD Systems

With the special CI/CD script, analysis of application security can be integrated into the continuous development process (CI/CD). During the script execution, the application to be scanned is sent to the system for analysis. The output is a JSON file with detailed results.

Installation Options

DockerHub

You can install the package using the docker image:

docker pull mobilesecurity/mdast_cli:release-x

Note: The release version is specified in the release-x, where x is the current version. Please check this information with the vendor or on the official website.

The pip package manager

It is possible to install the package using pip:

pip install mdast_cli

With this method, it is possible to run a scan without specifying a Python interpreter using the mdast_cli command, for example:

mdast_cli -h

In all the following examples, this approach is used.

Source code

It is also possible to load the source files and run the main script directly:

python3 mdast_cli/mdast_scan.py -h

With this startup method, you should additionally install the packages listed in the requirements.txt file.

Launch Options

Several launch options are supported:

  • Analysis of an application with the apk file placed locally;
  • Analysis of an application from the HockeyApp system;
  • Analysis of an application from the AppCenter system;
  • Analysis of an application from the Nexus Repository 3.x. system. 

Launch Parameters

The launch parameters depend on the location of the apk file to be sent for analysis. Also, there are some mandatory parameters that must be specified for any type of launch:

  • url — Mobix network address (path to the root directory without the last "/"), when using the cloud version — https://saas.mobix.one;
  • profile_id — The analysis is performed for the profile with this id;
  • testcase_id — id of the test case reproduced during the analysis. It is possible to run several test cases. For this purpose, their id's are listed with a space. This is an optional parameter. If it is not set, a manual scan will be started and stopped after 20 seconds and the data will be sent for analysis;
  • token — CI/CD token for access, see the Integration section for more information;
  • distribution_system — Method to load the application. The possible options are: file, appcenter, hockeyapp. These methods are described in more detail below in their corresponding sections;
  • company_id — Specifies the identifier of the company where the scan is performed;
  • architecture_id This is an optional parameter. Specifies the identifier of the operating system architecture where the scanning is performed;
  • nowait — Optional parameter that determines whether to wait for the scan to complete. If this flag is set, the script won't wait for the scan to complete, but exits immediately after launching it. If the flag is not set, the script will wait for the analysis process to complete and generate a report;
  • summary_report_json_file_name This is an optional parameter. Specifies the name of the JSON file. This file is used to upload scanning information in JSON format. If the parameter is missing, the information will not be saved in JSON;
  • pdf_report_file_name This is an optional parameter. Specifies the name of a PDF file for uploading scanning information in PDF format. If the parameter is missing, the PDF report will not be saved.

Local Launch

This kind of launch implies that the apk file of the application to be analyzed is placed locally, next to the script (on the same system). To select this method, the distribution_system file parameter shall be specified. In this case the path to the file file_path is a mandatory parameter.

To run a local file analysis

mdast_cli \
--distribution_system file \
--file_path "/files/demo/apk/demo.apk" \
--url "https://saas.mobix.one" \
--profile_id 1 \
--testcase_id 4 \
--company_id 1 \
- architecture_id 1 \
--token "token_value"

This will run an automated analysis of the demo.apk application with the id 1 profile and will run a test case with id 4.

Launch without waiting for the scan to complete

mdast_cli \
--distribution_system file \
--file_path "/files/demo/apk/demo.apk" \
--url "https://saas.mobix.one" \
--profile_id 1 \
--testcase_id 4 \
--company_id 1 \
— architecture_id 1 \
--token "token_value" \ 
–nowait

This will run an automated analysis of the demo.apk application with the id 1 profile. The test case with id 4 will be launched. The script will terminate immediately after the start of the scan and will not wait until the end and generate a report.

Summary report creation in JSON format

mdast_cli \
--distribution_system file \
--file_path "/files/demo/apk/demo.apk" \
--url "https://saas.mobix.one" \
--profile_id 1 \
--testcase_id 4 \
--company_id 1 \
- architecture_id 1 \
--token "token_value" \ 
--summary_report_json_file_name json-scan-repot.json

This will run an automated analysis of the demo.apk application with the id 1 profile. The test case with id 4 will be launched. When the scan is completed, a JSON report with the total number of defects and brief statistics on the scan will be uploaded.