Ostorlab is now available in Harness CI, allowing teams to run mobile application security scans directly inside their CI pipelines. This allows teams to identify vulnerabilities as part of the build process, without introducing separate workflows.

With a single Run step and secure authentication through Harness Secrets, teams can scan application artifacts directly from the pipeline workspace, keeping everything within the same CI environment.

Why integrate mobile security scanning into Harness CI?

CI pipelines already define how applications are built, tested, and released. However, security scanning often remains outside of that flow, making it harder to standardize and easier to delay.

As a result, security checks can become inconsistent across teams and are often performed too late in the release cycle, increasing the risk of last-minute issues.

What you can do with the Ostorlab x Harness integration

The integration is designed to fit naturally into existing Harness pipelines. It uses the same concepts teams already rely on, making adoption straightforward and easy to scale.

At its core, the pipeline executes the Ostorlab CLI and runs a ci-scan on the artifact produced during the build. The scan runs on the artifact using its path, such as $HARNESS_WORKSPACE/$APP_PATH, with configuration handled through environment variables.

Teams can tailor scans based on their needs, whether adjusting scan depth, selecting artifact types, or adding optional inputs for more advanced workflows.

How it works

The setup follows a simple flow:

• Generate an Ostorlab API key
• Store it in Harness Secrets
• Add an Ostorlab scan Run step to your pipeline
• Run ostorlab ci-scan run on the artifact in your workspace

The scan uses paths such as $HARNESS_WORKSPACE/$APP_PATH, allowing it to run directly on the output of your build without extra handling.

What’s included in the integration

The integration is built around standard Harness capabilities, making it easy to adopt without changing how pipelines are structured.

Ostorlab scans are executed through a Run step that installs and runs the CLI. Authentication is managed securely using Harness Secrets, invoking the secret using patterns such as <+secrets.getValue("OSTORLAB_API_KEY")>.

Artifacts are scanned directly from the pipeline workspace, and configuration is handled through environment variables such as scan title, profile, and artifact path. Both UI-based and YAML-based implementations are supported, enabling teams to manage security as part of their pipeline configuration.

In addition, teams can define risk thresholds within the Ostorlab platform to control how scans behave. This allows scans to be stopped based on detected risk levels, helping enforce security requirements as part of the overall workflow.

Adapting scans to your workflow

Scans can be customized to match different pipeline requirements. Teams can select between scan profiles depending on speed and depth, and scan various artifact types including Android APK, AAB, and iOS IPA.

Additional options are available for more advanced use cases, such as providing test credentials, generating SBOMs, or guiding scans through UI prompts.

Because all configuration is handled within the pipeline, teams can adapt scanning behavior without changing their overall workflow structure.

Get started

To enable the integration and follow the exact setup steps, see the Harness integration guide.