Possible to retrieve environment variable set with envman via Bitrise API after completed build?

I am triggering builds from a server and need to run a security scan with the build artifact. I have successfully started the security scan using Bitrise but I’d like to be able to set and retrieve the ID of the security scan.

Is there anyway to handle a response and set a variable that I can grab via one of the APIs?

I’ve tried using envman but anything I set does not get reflected in when grabbing the build from GET /apps/{app-slug}/builds/{build-slug}. I realize I can log it and parse through GET /apps/{app-slug}/builds/{build-slug}/log but that feels like a non-optimal solution.

Hi @reade-contentsquare,

This is currently not doable through the API, but check out this article for a workaround: https://support.bitrise.io/hc/en-us/articles/360006717378-Organization-level-Environment-Variables

Hi @reade-contentsquare :wave:

I’d like to be able to set and retrieve the ID of the security scan.

What do you need that for / how do you plan to use that if you can get it from the API?


The API might not be the easiest solution for your problem, so there might be a better/easier solution, but this is how you can do it via the API:

It’s not the easiest thing to do, depending on your needs there might be an easier solution, but it definitely works, using ~3 API calls to find and then to read the content of the JSON artifact file.

Let me know if you have any questions!

Thanks @viktorbenei!

I’m trying to display MobSF security scan results on my frontend. I can upload the built IPA and start the scan within Bitrise, but in order to view the results I need to pass the ID (technically the MobSF hash) to my frontend somehow.

There is a workaround where I can upload the built file to an S3 bucket, download it on my frontend, then upload it to MobSF and do it there but then the file is stored in 3 places at that point (distribution, S3, MobSF).

While not the most graceful I think your solution will be the most efficient. Will give it a shot and report back!

1 Like

Hi @reade-contentsquare, for MobSF I tried it before with Bitrise but I installed it using docker on an ec2 machine and then send the APK to the URL to scan it. Maybe this blog post can help you

https://bitrise.io/blog/post/run-your-security-static-analysis-tests-on-the-cloud-with-mobsf-aws-and-bitrise

1 Like

@moataznabil21 thanks! I have successfully accomplished this. What I’m trying to do is use the MobSF API in order to display the results on a different frontend.

1 Like

@viktorbenei Thanks for your help here.

I ended up just using a Script step to log the hash like so:

MOBSF_HASH=$(curl -F "file=@./app.ipa" http://localhost:8000/api/v1/upload -H "X-Mobsf-Api-Key:XXXXX" | jq -r '.hash')

which nicely logs:

MOBSF_HASH=XXXXXXXXXX

I was able to use the Bitrise API to grab the logs during the build and in turn access the results of the scan.

1 Like

I’m glad it worked out. The log based one while not ideal, but at least it works, and the best solution is a working solution :slight_smile:

Thanks for sharing which route you went with, hopefully it’ll help others in the future as well :raised_hands: