data-theorem-mobile-secure-buildkite-plugin/plugin.yml at main · datatheorem/data-theorem-mobile-secure-buildkite-plugin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
name: Data Theorem Mobile Secure
description: |
  Data Theorem's Mobile Secure will scan each pre-production release automatically (up to 7000 releases/day) for security & privacy issues using static, dynamic, and behavioral analysis for both iOS and Android applications.

  More information can be found here:
  https://www.datatheorem.com/products/mobile-secure
author: https://github.com/datatheorem
requirements:
  - curl
  - jq
configuration:
  properties:
    UPLOAD_API_KEY:
      type: string
      description: |
        Data Theorem upload API key
    BINARY_PATH:
      type: string
      description: |
        Path to the app to upload.

        You can use a glob pattern to indicate variable parts of the build's file name
        (for example, if the app's version number or build date is in the file name).
        Examples of glob patterns:
        - `app-*.apk` : search for any apk starting with `app-` in workspace root directory
        - `**/app-*.ipa` : search for any ipa starting with `app-` in any subdirectory of the workspace
        - `{,**/}app-debug*.*` : search for any file containing `app-debug` in root directory or in any subdirectory

        If multiple files match the provided pattern all matching files will be uploaded.
        The pattern should not match more than 3 files.
    SOURCEMAP_PATH:
      type: string
      description: |
        Path to the sourcemap file used to map obfuscated symbols to their original code name
    USERNAME:
      type: string
      description: |
        Username to be used for authenticated testing of the application.
        If provided, will override the previously provided value.
    PASSWORD:
      type: string
      description: |
        Password to be used for authenticated testing of the application.
        If provided, will override the previously provided value.
        Use of Buildkite Secrets is recommended.
    COMMENTS:
      type: string
      description: |
        Miscellaneous, free-form comments regarding the upload.
    RELEASE_ID:
      type: string
      description: |
        A custom ID associated with the binary being submitted, since the app version may not change very often.
        It is recommended that you use a unique value for this, such as the CI/CD job ID.
        If not set, Data Theorem will assign the binary a release_id.
    PLATFORM_VARIANT:
      type: string
      description: |
        The variant of the platform to use for scanning; Currently, the accepted value is
        IOS_ON_MAC (scan an iOS build on an Apple Silicon Mac instead of on an iOS device,
        in order to exercise code paths that are specific to Macs.)
    EXTERNAL_ID:
      type: string
      description: |
        The external_id field represents your organization's custom identifier for the app, if any.
    POLL_SCAN_RESULTS:
      type: "boolean"
      default: false
      description: |
        If the plugin should wait until the scan is completed and check the scan results
        When set to `true`, `MOBILE_RESULTS_API_KEY` also needs to be set
    MOBILE_RESULTS_API_KEY:
      type: string
      description: |
        Data Theorem results API key (required when BLOCK_ON_SEVERITY or WARN_ON_SEVERITY is used)
    BLOCK_ON_SEVERITY:
      type: string
      enum: ["HIGH", "MEDIUM", "LOW"]
      description: |
        Block the build if vulnerabilities are found at or above the specified severity level.
        When set, the plugin will automatically enable polling and require MOBILE_RESULTS_API_KEY.
        Valid values: HIGH, MEDIUM, LOW
        - HIGH: Block on high severity vulnerabilities only
        - MEDIUM: Block on medium and high severity vulnerabilities
        - LOW: Block on all severity vulnerabilities (low, medium, high)
    WARN_ON_SEVERITY:
      type: string
      enum: ["HIGH", "MEDIUM", "LOW"]
      description: |
        Print warning messages if vulnerabilities with the specified minimum severity are found.
        This is a softer version of BLOCK_ON_SEVERITY that doesn't fail the build.
        Valid values: HIGH, MEDIUM, LOW
        This requires a Data Theorem Mobile Results API Key to be set.
    POLLING_TIMEOUT:
      type: number
      default: 300
      description: |
        Timeout duration in seconds for polling scan results.
        Default is 300 seconds (5 minutes).
        Only applies when POLL_SCAN_RESULTS is true, BLOCK_ON_SEVERITY, or WARN_ON_SEVERITY is set.
    WAIT_FOR_STATIC_SCAN_ONLY:
      type: "boolean"
      default: false
      description: |
        When enabled, waits for the static_scan to be COMPLETED instead of the top-level scan.
        Default is false.
    SEVERITY_CHECK_SCOPE:
      type: string
      enum: ["CURRENT_SCAN", "ALL_ISSUES"]
      default: "CURRENT_SCAN"
      description: |
        Controls whether BLOCK_ON_SEVERITY and WARN_ON_SEVERITY check only findings
        from the current scan or all open findings in the mobile app.
        Valid values: CURRENT_SCAN, ALL_ISSUES
        - CURRENT_SCAN: Check only findings discovered in the current scan (default)
        - ALL_ISSUES: Check all open findings associated with the mobile app
  required:
    - UPLOAD_API_KEY
    - BINARY_PATH
  additionalProperties: false