Product

Announcing Ostorlab for Bitrise: Mobile security scans in your CI

Ostorlab now integrates with Bitrise to run automated mobile application security scans inside CI workflows. Using a Bitrise Secret plus a simple Script step, teams can install the Ostorlab CLI and run ostorlab ci-scan run against the same build artifacts produced by the pipeline (e.g., Android APK, Android AAB, or iOS IPA). The integration helps shift security left by shortening feedback loops and catching vulnerabilities earlier, with options to tailor scans via profiles (fast, full, agentic deep scan) and optional inputs like test credentials, SBOM, and UI prompts.

Fri 27 March 2026

Ostorlab now integrates with Bitrise so you can run automated mobile application security scans as part of your CI workflows, helping you catch vulnerabilities earlier and ship with more confidence.

With a Bitrise Secret plus a simple Script step, you can scan the same artifacts your pipeline produces (for example, an Android .APK or an iOS .IPA).

Why integrate mobile security scanning into Bitrise?

Modern mobile teams already rely on Bitrise to automate builds, tests, and releases. But when security checks live outside the pipeline, they tend to happen late (or inconsistently), creating last-minute delays and avoidable risk. Embedding scanning into CI shifts feedback earlier in the lifecycle, so issues can be fixed when they’re cheaper and faster to address.

What you can do with the Ostorlab x Bitrise integration

With the Bitrise integration, you can add Ostorlab scanning to an existing workflow using the approach Bitrise users already know: Secrets + a Script step. Concretely, the integration uses the Ostorlab CLI and runs a ci-scan run against your build artifact produced during the workflow (for example the .APK path exposed by Bitrise).

You also have flexibility to tailor the scan to your needs:

  • Choose between scan profiles like fast, full, and agentic deep scan depending on how much depth you want in the pipeline run.
  • Scan different mobile artifact types supported by the integration guide (for example android-apk, android-aab, and ios-ipa).
  • Provide optional inputs and automation hooks (as documented) such as test credentials, SBOM, and UI prompts for more advanced workflows.

How it works

The integration is designed to be straightforward to adopt:

  1. Generate an Ostorlab API key in your Ostorlab portal (API keys menu).
  2. Store the API key in Bitrise Secrets so it isn’t hardcoded into scripts.
  3. In the Bitrise Workflow Editor, add a Script step to the workflow you want to scan (e.g., your primary workflow).
  4. In that Script step, install the Ostorlab CLI and run ostorlab ci-scan run against the build artifact path produced by Bitrise (for example, an Android .APK).

If you want a concrete starting point, the integration guide shows a Script-step example that installs Ostorlab via pip and runs a scan command using your Secret and the artifact path variable exposed by Bitrise (e.g., BITRISE_APK_PATH).

Customize scans for your pipeline

Depending on how you structure your releases and what checks you want in CI, you can configure the scan command using CLI flags and environment variables documented in the integration page. This includes selecting a scan profile (fast vs full), choosing which artifact type you’re scanning (APK/AAB/IPA), and optionally providing additional inputs (like SBOM) or guidance (like UI prompts) when needed.

Get started

To enable the integration and follow the exact setup steps, head to the Bitrise integration guide in Ostorlab docs:
https://docs.ostorlab.co/integrations/bitrise/index.html

Tags:

Mobile Security, CI/CD, DevSecOps, Bitrise, Ostorlab, AppSec, Security Automation, CI Scanning

Table of Contents