Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: Add additional information for Security Scans #44

Merged
merged 1 commit into from
Sep 6, 2024
Merged

docs: Add additional information for Security Scans #44

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions doc/SecurityScan.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# MobSF Security scan integration

This project includes automated static application security testing (SAST) for the generated binaries for both iOS and Android.
This is helpful to identify opportunities to reduce your app's susceptibility to attacks from malicious third parties.
We use [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) to scan the produced artifacts and generate a report with the analysis results.

## stage-security-scan.yml

This YAML configuration snippet outlines the setup for conditional security scanning within a CI/CD pipeline, specifically targeting iOS and Android platforms. The security scans are facilitated through the Mobile Security Framework (MobSF), a comprehensive tool designed for mobile security testing.
Expand Down Expand Up @@ -48,6 +52,10 @@ This job mirrors the iOS security scan job but targets Android applications. It

Integrating the security scanning configuration into your `azure-pipelines.yml` pipeline requires activating specific parameters to enable the process. Set `enableIosSecurityScan` and `enableAndroidSecurityScan` to **true** as per your project's requirements. This approach ensures a tailored security assessment for mobile applications across different environments, in this case Staging and Production, utilizing **MobSF** for comprehensive vulnerability detection prior to deployment.

## Output
After a successful build, the results of the security analysis are added as Artifacts for your CI pipelines.
Two files are included: A PDF file (with a human-readable version of the scan results) and a JSON file which can be further analyzed, or even used as part of an automated process to identify specific portions of the report that can be of interest.

## References
- [MobSF Documentation](https://mobsf.github.io/docs/#/)
- [MobSF API Docs](https://mobsf.live/api_docs)
3 changes: 3 additions & 0 deletions src/cli/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)

Prefix your items with `(Template)` if the change is about the template and not the resulting application.

## 0.20.4
- Updates to documentation

## 0.20.3
- (CI/CD) Fixes an authentication issue with pub.dev

Expand Down