The Appknox Github action allows you to perform Appknox security scan on your mobile application binary. The APK/IPA built from your CI pipeline will be uploaded to Appknox platform which performs static scan and the build will be errored according to the chosen risk threshold.
Sign up on Appknox.
Generate a personal access token from Developer Settings
Go to your app's repository settings in Github, click on Secrets in sidebar and create a new secret with name APPKNOX_ACCESS_TOKEN and value with the access token obtained in step 1
In your Github action workflow file (eg: .github/workflows/build.yml), insert the following content after the app build step:
- name: Appknox Scan
uses: appknox/[email protected]
with:
appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }}
file_path: app/build/outputs/apk/debug/app-debug.apk
risk_threshold: HIGH| Key | Value |
|---|---|
appknox_access_token |
Personal access token secret |
file_path |
File path to the mobile application binary to be uploaded |
risk_threshold |
Risk threshold value for which the CI should fail. Accepted values: CRITICAL, HIGH, MEDIUM & LOW Default: LOW |
sarif |
Enables SARIF report generation. Accepted values: Enable & Disable Default: Disable |
name: Build
on:
push:
branches:
- master
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 1.8
uses: actions/setup-java@v1
with:
java-version: 1.8
- name: Grant execute permission for gradlew
run: chmod +x gradlew
- name: Build the app
run: ./gradlew build
- name: Appknox GitHub action
uses: appknox/[email protected]
with:
appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }}
file_path: app/build/outputs/apk/debug/app-debug.apk
risk_threshold: MEDIUMThis example demonstrates how to run Appknox Scan to generate a SARIF report and download it as an artifact.
name: Build
on:
push:
branches:
- master
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 1.8
uses: actions/setup-java@v1
with:
java-version: 1.8
- name: Grant execute permission for gradlew
run: chmod +x gradlew
- name: Build the app
run: ./gradlew build
- name: Appknox GitHub action
uses: appknox/[email protected]
with:
appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }}
file_path: app/build/outputs/apk/debug/app-debug.apk
risk_threshold: MEDIUM
sarif: Enable
- name: Download SARIF Report
if: always()
uses: actions/upload-artifact@v2
with:
name: sarif-report
path: report.sarifNote: For integrating with GitHub Advanced Security (GHAS), ensure you have an active GitHub account with the Advanced Security feature enabled.
name: Build
on:
push:
branches:
- master
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 1.8
uses: actions/setup-java@v1
with:
java-version: 1.8
- name: Grant execute permission for gradlew
run: chmod +x gradlew
- name: Build the app
run: ./gradlew build
- name: Appknox GitHub action
uses: appknox/[email protected]
with:
appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }}
file_path: app/build/outputs/apk/debug/app-debug.apk
risk_threshold: MEDIUM
sarif: Enable
- name: Upload SARIF to GHAS
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: report.sarifView reported vulnerabilities in GitHub Code Scanning after running above workflow
