Skip to content

GitLab CI template for MobSF

This project implements a GitLab CI/CD template to perform pen-testing, malware analysis and security assessment for mobile applications with Mobile Security Framework (MobSF).

Usage

This template can be used both as a CI/CD component or using the legacy include:project syntax.

Use as a CI/CD component

Add the following to your .gitlab-ci.yml:

include:
  # 1: include the component
  - component: $CI_SERVER_FQDN/to-be-continuous/mobsf/gitlab-ci-mobsf@2.7.0
    # 2: set/override component inputs
    inputs:
      app-file: "build/myapp.apk" # ⚠ this is only an example

Use as a CI/CD template (legacy)

Add the following to your .gitlab-ci.yml:

include:
  # 1: include the template
  - project: 'to-be-continuous/mobsf'
    ref: '2.7.0'
    file: '/templates/gitlab-ci-mobsf.yml'

variables:
  # 2: set/override template variables
  MOBSF_APP_FILE: "build/myapp.apk" # ⚠ this is only an example

Global configuration

The MobSF template uses some global configuration used throughout all jobs.

Input / Variable Description Default value
client-image / MOBSF_CLIENT_IMAGE The Docker image used to send requests to the MobSF server docker.io/badouralix/curl-jq
Trivy Badge
app-file / MOBSF_APP_FILE Application package file (APK or IPA) none
server-url / MOBSF_SERVER_URL URL of MobSF server none (runs the scan on a local server)
🔒 MOBSF_API_KEY API key of the MobSF server none (runs the scan on a local server)

Jobs

Only one of the mobsf-app-scan and mobsf-app-scan-service jobs is launched depending on whenever the MOBSF_CLIENT_IMAGE and MOBSF_API_KEY are set.

mobsf-pkg-xxx jobs

Depending on whether the server-url / MOBSF_SERVER_URL configuration is set or not, the template will run a scan of your application package (APK or IPA), either locally (mobsf-pkg-local job) or remotely (mobsf-pkg-remote job).

Both use the official Docker image, and are bound to the package-test stage.

mobsf-code Job

This job performs static analysis of the application's source code using the mobsfscan tool.

It has the following variables:

Input / Variable Description Default value
sources-scan-disabled Disables the job if set to true false
sources-folder Path to the source code folder to analyze . (project root)
code-image/ MOBSF_CODE_IMAGE the Docker image used to run mobsfscan command docker.io/opensecurity/mobsfscan:latest

This job can be enabled or disabled based on the sources-scan-disabled variable. The source folder path can be customized via sources-folder.

It is bound to the package-test stage.

Secrets management

Here are some advices about your secrets (variables marked with a 🔒):

  1. Manage them as project or group CI/CD variables:
    • masked to prevent them from being inadvertently displayed in your job logs,
    • protected if you want to secure some secrets you don't want everyone in the project to have access to (for instance production secrets).
  2. In case a secret contains characters that prevent it from being masked, simply define its value as the Base64 encoded value prefixed with @b64@: it will then be possible to mask it and the template will automatically decode it prior to using it.
  3. Don't forget to escape special characters (ex: $ -> $$).