NowSecure provides purpose-built, fully automated mobile application security testing (static and dynamic) for your development pipeline. By testing your mobile application binary post-build from Gitlab, NowSecure ensure comprehensive coverage of newly developed code, third party components, and system dependencies. NowSecure quickly identifies and details real issues, provides remediation recommendations, and integrates with ticketing systems such as Gitlab and Jira. This integration requires a NowSecure platform license. See https://www.nowsecure.com for more information.
To add this component to your CI/CD pipeline, the following should be done:
-
Get a token from your NowSecure platform instance. More information on this can be found in the NowSecure Support Portal
-
Identify the ID of the group in NowSecure Platform that you want your assessment to be included in. More information on this can be found in the NowSecure Support Portal. (Note: Authentication required to access this page)
-
Add a CI/CD variable to your project named,
NS_TOKENand add the token created above. As this is a credential, be sure to set the variable asMasked and Hidden. -
Add the following include entry to your project's CI/CD configuration and set your input values
- task: nowsecure-azure-extension@<tag> inputs: binary_file: "<path-to-binary>" group: "<group-ref>" token: $NS_TOKEN
-
<tag>is the release tag you want to use -
<group-ref>is uuid of the group that will be used to trigger assessments. Information on how to get the group reference can be found in the NowSecure Support Portal. -
<path-to-binary>is the filepath for the ipa / apk that is to be uploaded to run an assessments against. Ideally this will be an artifact of some previous build step in a pipeline. -
$NS_TOKENis the token used to communicate with the NowSecure API. This token should be an Azure Devops Secret Variable. Information on how to create a token can be found in the NowSecure Support Portal.
-
Find it in Azure Devops Marketplace using "NowSecure Azure Extension"
Then install it following Microsoft's instructions on installing Azure Devops Marketplace extensions.
NOTE: Currently, compatibility is limited to either Windows / Linux running an X64 architecture, or MacOS on ARM. In order for the extension to work, please make sure you have an appropriate vmImage.
pool:
vmImage: "ubuntu-latest"
steps:
- task: Gradle@4
inputs:
cwd: ""
wrapperScript: "gradlew"
gradleOpts: "-Xmx3072m"
publishJUnitResults: false
testResultsFiles: "**/TEST-*.xml"
tasks: "assembleDebug"
- task: CopyFiles@2
inputs:
contents: "**/*.apk"
targetFolder: "$(build.artifactStagingDirectory)"
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: "$(build.artifactStagingDirectory)"
artifactName: "drop"
artifactType: "container"
- task: nowsecure-azure-extension@1
inputs:
# Required inputs
group: "0000-00000-0000-0000"
token: $NS_TOKEN
binary_file: "path-to-artifact.apk"
# Common optional parameters
minimum_score: 70
analysis_type: static
polling_duration_minutes: 30Note: "task: nowsecure-azure-extension@1" is the main task for security analysis and other tasks above are used to generate Android apk file.
You can add task to publish artifacts (API results) from the Nowsecure Azure Extension task as shown:
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: "$(build.artifactStagingDirectory)"
artifactName: "nowsecure"
artifactType: "container"To enable debug-level logging for the NowSecure Azure Extension, add the log_level input with the 'debug' option as shown below:
- task: nowsecure-azure-extension@1
inputs:
# Required inputs
group: "0000-00000-0000-0000"
token: $NS_TOKEN
binary_file: "path-to-artifact.apk"
# Enable Debug Level Logging
log_level: "debug"