Product

Ostorlab Security Scanner GitHub Integration

The Ostorlab Security Scanner GitHub Integration enhances mobile app development workflows by embedding automated security directly into the CI/CD pipeline. It offers a GitHub Action for scanning mobile application on every code push. It adds inline vulnerability insights directly to pull requests, highlighting the exact code changes that introduced issues and suggesting one-click fixes developers can apply without leaving GitHub.

Wed 21 May 2025

Ostorlab Security Scanner GitHub Integration

The Ostorlab Security Scanner GitHub Integration brings robust security directly into your mobile app development lifecycle. By seamlessly adding a dedicated step to your GitHub workflow, you can automatically trigger comprehensive security scans on the Ostorlab platform with every code change. The integration provides detailed summaries of security findings and leaves actionable comments directly on your Pull Requests, allowing your team to quickly identify and address vulnerabilities. Crucially, it pinpoints the exact code changes that introduced each vulnerability, empowering developers to remediate issues early and maintain a secure, efficient CI/CD pipeline.

Prequel: Ostorlab Github Action

The main goal of the Ostorlab GitHub Action is to trigger vulnerability scans for Android APKs, AABs, and iOS IPAs. These scans cover static, dynamic, and backend analysis and support major frameworks, both native and multi-platform. This includes Java, Kotlin, Objective C, Swift, Flutter, Cordova, and Xamarin.

To integrate Ostorlab’s GitHub actions into your workflow, you first need to generate an API key from the API keys menu. For a full video documentation on how to do so, check the link

Next, you simply need to add a step to trigger the scan on your existing workflow.

on: [push]
jobs:
  ostorlab_test:
    runs-on: ubuntu-latest
    name: Test ostorlab ci actions.
    steps:
        ...... Previous Build Steps
      - name: build ostorlab.apk
        run: mv built-app.apk ostorlab.apk
      - name: Launch Ostorlab scan
        id: start_scan
        uses: Ostorlab/ostorlab_actions@v2.1.0
        with:
          scan_profile: fast_scan # Specify which scan profile to use for the scan (check scan section).
          asset_type: android-apk # type of asset to scan.
          target: ostorlab.apk # path for target tto scan.
          scan_title: Github-CI-Scan # type a title for your scan.
          ostorlab_api_key: ${{ secrets.ostorlab_api_key }} # your secret api key.
          break_on_risk_rating: HIGH # Wait for the scan results and force the action to fail if the scan risk is higher
          max_wait_minutes: 30
      - name: Get scan id
        run: echo "Scan Created with id ${{ steps.start_scan.outputs.scan_id }} you can access the full report at https://report.ostorlab.co/scan/${{ steps.start_scan.outputs.scan_id }}/"

The GitHub Action is designed to be simple and flexible: you can run it and forget, or configure it to break the pipeline automatically if a scan detects a high-risk issue. It supports scanning Android (APK, AAB) and iOS (IPA) applicationss with profiles ranging from fast static analysis to full scans that include dynamic and backend testing. You can also customize scan titles, set timeouts, and control behavior based on risk ratings. For the full list of available options and configuration values, please refer to the official documentation.

Sequel: Ostorlab Security Scanner GitHub Application

The Ostorlab Security Scanner GitHub App is designed to help developers improve their code security by providing actionable insights directly in Pull Requests. It integrates security into the development workflow with the main goal of pinpointing exactly what piece of code introduced the vulnerability, providing actionable insights and code suggestions that can be automatically committed. Its key features include:

  • Automated Security Scanning: Triggers Ostorlab vulnerability scans automatically when pull requests are created or updated.
  • Inline security feedback: Generates precise code fixes for identified vulnerabilities.
  • One-Click Remediation: Apply suggested fixes directly through the GitHub interface.

To enable these features, you first need to install the application by following the steps below:

  1. Navigate to the Ostorlab Security Scanner App on the GitHub marketplace.

    GitHub Marketplace

  2. Click on Install for free button.

    Install for free

  3. Provide the necessary permissions:

    • Read & Write access to pull requests.
    • Metadata access for the repository.

Provide permissions

For a full step-by-step guide on how to install the App, follow the documentation here.

Once the scan is over, a scan summary highlighting all the findings & their risk ratings will be generated & added to your Pull Request.

Scan summary on PR

In addition, vulnerabilities introduced by code in the current Pull Request will have comments with a brief description, fix recommendation & suggested code fix that can automatically be committed by clicking on the Commit Suggestion button.

Comment example on PR

Get Started Today

Security is easier when it’s part of the workflow. With Ostorlab’s GitHub Action and Application, you can automate mobile security, reduce review friction, and ship safer applications faster.

🔧 Add the GitHub Action 🔗 Install the GitHub App 📚 Read the full docs

Tags:

github, security, ci/cd, mobile, devsecops

We do newsletters, too

Get the latest news, updates, and product innovations from Ostorlab right in your inbox.

Table of Contents