I am triggering builds from a server and need to run a security scan with the build artifact. I have successfully started the security scan using Bitrise but I’d like to be able to set and retrieve the ID of the security scan.
Is there anyway to handle a response and set a variable that I can grab via one of the APIs?
I’ve tried using envman but anything I set does not get reflected in when grabbing the build from GET /apps/{app-slug}/builds/{build-slug}. I realize I can log it and parse through GET /apps/{app-slug}/builds/{build-slug}/log but that feels like a non-optimal solution.
Hi @reade-contentsquare
I’d like to be able to set and retrieve the ID of the security scan.
What do you need that for / how do you plan to use that if you can get it from the API?
The API might not be the easiest solution for your problem, so there might be a better/easier solution, but this is how you can do it via the API:
It’s not the easiest thing to do, depending on your needs there might be an easier solution, but it definitely works, using ~3 API calls to find and then to read the content of the JSON artifact file.
Let me know if you have any questions!
Thanks @viktorbenei!
I’m trying to display MobSF security scan results on my frontend. I can upload the built IPA and start the scan within Bitrise, but in order to view the results I need to pass the ID (technically the MobSF hash) to my frontend somehow.
There is a workaround where I can upload the built file to an S3 bucket, download it on my frontend, then upload it to MobSF and do it there but then the file is stored in 3 places at that point (distribution, S3, MobSF).
While not the most graceful I think your solution will be the most efficient. Will give it a shot and report back!
1 Like
Hi @reade-contentsquare, for MobSF I tried it before with Bitrise but I installed it using docker on an ec2 machine and then send the APK to the URL to scan it. Maybe this blog post can help you
https://bitrise.io/blog/post/run-your-security-static-analysis-tests-on-the-cloud-with-mobsf-aws-and-bitrise
1 Like
@moataznabil21 thanks! I have successfully accomplished this. What I’m trying to do is use the MobSF API in order to display the results on a different frontend.
1 Like
@viktorbenei Thanks for your help here.
I ended up just using a Script step to log the hash like so:
MOBSF_HASH=$(curl -F "file=@./app.ipa" http://localhost:8000/api/v1/upload -H "X-Mobsf-Api-Key:XXXXX" | jq -r '.hash')
which nicely logs:
MOBSF_HASH=XXXXXXXXXX
I was able to use the Bitrise API to grab the logs during the build and in turn access the results of the scan.
1 Like
I’m glad it worked out. The log based one while not ideal, but at least it works, and the best solution is a working solution
Thanks for sharing which route you went with, hopefully it’ll help others in the future as well