NowSecure AUTO Jenkins Plugin

Integrating to NowSecure AUTO from Jenkins (or really any other build server) is straightforward. Once a binary is created, it just needs to use a REST API call to upload the file (it will be an .ipa or .apk).

This article is will walk-through the general Jenkins setup, however, some customization may be required depending on the unique environment.

This plugin adds the ability to perform automatic mobile app security testing for Android and iOS mobile apps through the NowSecure AUTO test engine.

Plugin Info

{jenkins-plugin-info:nowsecure-auto-security-test}

Summary

Purpose-built for mobile app teams, NowSecure AUTO provides fully automated, mobile appsec testing coverage (static+dynamic+behavioral tests) optimized for the dev pipeline. Because NowSecure tests the mobile app binary post-build from Jenkins, it can test software developed in any language and provides complete results including newly developed code, 3rd party code, and compiler/operating system dependencies. With near zero false positives, NowSecure pinpoints real issues in minutes, with developer fix details, and routes tickets automatically into ticketing systems, such as Jira. NowSecure is frequently used to perform security testing in parallel with functional testing in the dev cycle.

What Binaries Can I Upload?

In order to run in NowSecure AUTO, it is important to remember that all apps will be installed to a physical device. To ensure the highest rate of success, all builds must be able to install and run on a device. Additionally, iOS apps cannot be encrypted (this is usually applied to releases that are in the iOS App Store).

You should also consider that the app will be running through a fully automated system, so systems designed to defeat automation will limit coverage. These include features such as two factor authentication and reCaptcha.

Requirements

  • Jenkins
  • Jenkins version 2.32 or newer is required.

NowSecure Auto Account

Requires a license for and connection to the NowSecure AUTO software. https://www.nowsecure.com

Installation

Generate API Key

See https://lab.nowsecure.com/account/settings to generate an API token.

Store API Key in Jenkins Credentials

Select Credentials from sideline:

Credentials

Store API Key as Secret text:

StoreCredentials

Define Jenkins Job

New Build

Bind Credentials with apiKey variable

Bind

Adding Plugin to your mobile build

Select Configure option from Jenkins console, then select dropdown of build step and choose NS Auto Jenkins Plugin, e.g.

Build Step

Specify configuration parameters

Configure Step

Advanced configuration options

Advanced

Kick off build

Kick off your mobile builds and you will see the raw JSON reports and score under artifacts folder.

Console

Pipeline

Adding plugin to pipeline:

Pipeline Setup

Pipeline Config

Sample pipeline script:

pipeline {
    agent any
    stages {
        stage('security-test') {
            environment {
                apiKey = credentials('AutoApiKey')
            }
            steps {
                step([$class: 'NSAutoPlugin', apiKey: env.apiKey, binaryName: 'myapk.apk', breakBuildOnScore: true, description: 'my description', group: 'mygroup', waitForResults: true])
            }
        }
    }
}

Artifacts

This plugin generates following artifacts:

Artifacts

  • nowsecure-auto-security-test-uploaded-binary.json - stores metadata in json format after mobile file is uploaded.

  • nowsecure-auto-security-test-preflight.json - stores output json when request of preflight is submitted.

  • nowsecure-auto-security-test-request.json - stores output json when request of security test is submitted.

  • nowsecure-auto-security-test-report.json - stores output json when security analysis is completed.

  • nowsecure-auto-security-test-score.json - stores output json for overall score of security test.

Resources

Integration Complete

Jenkins integration is now complete for your account with NowSecure Auto. If you need assistance, feel free to contact support.