Wed 21 May 2025
Ostorlab Security Scanner GitHub Integration
The Ostorlab Security Scanner GitHub
Integration brings robust security directly into your mobile app development lifecycle. By seamlessly adding a dedicated step to your GitHub
workflow, you can automatically trigger comprehensive security scans on the Ostorlab platform with every code change. The integration provides detailed summaries of security findings and leaves actionable comments directly on your Pull Requests, allowing your team to quickly identify and address vulnerabilities. Crucially, it pinpoints the exact code changes that introduced each vulnerability, empowering developers to remediate issues early and maintain a secure, efficient CI/CD
pipeline.
Prequel: Ostorlab Github Action
The main goal of the Ostorlab GitHub Action is to trigger vulnerability scans for Android APKs
, AABs
, and iOS IPAs
. These scans cover static, dynamic, and backend analysis and support major frameworks, both native and multi-platform. This includes Java
, Kotlin
, Objective C
, Swift
, Flutter
, Cordova
, and Xamarin
.
To integrate Ostorlab’s GitHub actions into your workflow, you first need to generate an API key from the API keys menu. For a full video documentation on how to do so, check the link
Next, you simply need to add a step to trigger the scan on your existing workflow.
on: [push]
jobs:
ostorlab_test:
runs-on: ubuntu-latest
name: Test ostorlab ci actions.
steps:
...... Previous Build Steps
- name: build ostorlab.apk
run: mv built-app.apk ostorlab.apk
- name: Launch Ostorlab scan
id: start_scan
uses: Ostorlab/ostorlab_actions@v2.1.0
with:
scan_profile: fast_scan # Specify which scan profile to use for the scan (check scan section).
asset_type: android-apk # type of asset to scan.
target: ostorlab.apk # path for target tto scan.
scan_title: Github-CI-Scan # type a title for your scan.
ostorlab_api_key: ${{ secrets.ostorlab_api_key }} # your secret api key.
break_on_risk_rating: HIGH # Wait for the scan results and force the action to fail if the scan risk is higher
max_wait_minutes: 30
- name: Get scan id
run: echo "Scan Created with id ${{ steps.start_scan.outputs.scan_id }} you can access the full report at https://report.ostorlab.co/scan/${{ steps.start_scan.outputs.scan_id }}/"
The GitHub Action
is designed to be simple and flexible: you can run it and forget, or configure it to break the pipeline automatically if a scan detects a high-risk issue. It supports scanning Android (APK
, AAB
) and iOS (IPA
) applicationss with profiles ranging from fast
static analysis to full
scans that include dynamic and backend testing. You can also customize scan titles, set timeouts, and control behavior based on risk ratings.
For the full list of available options and configuration values, please refer to the official documentation.
Sequel: Ostorlab Security Scanner GitHub Application
The Ostorlab Security Scanner GitHub App
is designed to help developers improve their code security by providing actionable insights directly in Pull Requests
. It integrates security into the development workflow with the main goal of pinpointing exactly what piece of code introduced the vulnerability, providing actionable insights and code suggestions that can be automatically committed.
Its key features include:
- Automated Security Scanning: Triggers Ostorlab vulnerability scans automatically when pull requests are created or updated.
- Inline security feedback: Generates precise code fixes for identified vulnerabilities.
- One-Click Remediation: Apply suggested fixes directly through the GitHub interface.
To enable these features, you first need to install the application by following the steps below:
-
Navigate to the Ostorlab Security Scanner App on the GitHub marketplace.
-
Click on Install for free button.
-
Provide the necessary permissions:
- Read & Write access to pull requests.
- Metadata access for the repository.
For a full step-by-step guide on how to install the App, follow the documentation here.
Once the scan is over, a scan summary
highlighting all the findings & their risk ratings will be generated & added to your Pull Request
.
In addition, vulnerabilities introduced by code in the current Pull Request
will have comments with a brief description, fix recommendation & suggested code fix that can automatically be committed by clicking on the Commit Suggestion button.
Get Started Today
Security is easier when it’s part of the workflow. With Ostorlab’s GitHub Action and Application, you can automate mobile security, reduce review friction, and ship safer applications faster.
🔧 Add the GitHub Action 🔗 Install the GitHub App 📚 Read the full docs
We do newsletters, too
Get the latest news, updates, and product innovations from Ostorlab right in your inbox.