Running MobSF SAST using Gitlab CI Service
Introduction
Hello everyone! Today I will tell you about how I integrate MobSF with Gitlab CI.
What is MobSF?
First things first, what is MobSF? According to their Github:
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
In order to use it, you would usually need to serve MobSF in as a website using Docker or its script. Then, you need to upload your APK through the dashboard or using its REST API.
What I am Trying to Do
In order to use it, you would usually need to serve MobSF in as a website using Docker or its script. Then, you need to upload your APK through the dashboard or using its REST API.What I am Trying to Do
Now, instead of doing that, we are trying to use MobSF Static Application Security Testing (SAST) without using a dedicated machine to serve the MobSF instance.
We would instead use Gitlab CI to run the MobSF Docker image as a (temporary) Gitlab CI Service. Then, we can show the result directly in the Gitlab CI log or we can send the result to our dedicated security dashboard (in our case, we are using Defect Dojo).
This is inspired by Soluto’s Mobsf-CI Github Project which uses Docker compose and MobSF’s REST API in order to scan an APK without the need of interacting with the Dashboard. Instead of using that, I decided to create a new project in order to make it more simple and to make it available out-of-the-box for Gitlab users.
Now without further ado lets get started.
How It Works
The project mainly consists of 2 files:
- .gitlab-ci.yml Template
As you might have known, .gitlab-ci.yml is used by Gitlab CI to specify what commands needs to be run upon a new update has been made to a repo. First, it will clone our repo which contains scan.rb. Then it will set the necessary settings, credentials, and commands to prepare scan.rb to be run. After that, it will run scan.rb. And in the end, it will send the result to our security dashboard. - scan.rb
We will use this ruby script to send our APK to the MobSF service using REST API. The settings for scan.rb are defined in .gitlab-ci.yml. This script will be downloaded and run by Gitlab CI, so make sure that it is available from your Gitlab CI.
I decided using this script is the best, since there seems to be some encoding issues if we were to use simple curl commands.
How-To Use
1. Copy the repo (optional)
First, if you want to modify the scan.rb (for example to make the fetched result PDF instead of JSON), copy this project’s repo to your own repo. You can refer to MobSF’s API docs located in your local instance of MobSF (ie: http://127.0.0.1:8000/api_docs).
Then if you copied it to your own repo, remember to change the git clone command in .gitlab-ci.yml to make it point to your own repo.
2. Modify the .gitlab-ci.yml.template content
Then, copy the .gitlab-ci.yml.template to the repo that contains the APK and rename it to .gitlab-ci.yml (or incorporate it as part of your .gitlab-ci.yml). After that, change the TARGET_PATH variable to the target apk name.
Lastly, if you want to send the result to Defect Dojo, you can fill in the Dojo URL and Dojo Token variable with the correct queryparams (be sure to first manually create an engagement in Defect Dojo). If not, delete it.
You can (of course) also change other variable/command to your liking.
3. Done :)
You can check the result in the Gitlab CI log or through your security dashboard.
Outro
Thank you for reading through this article :)
If you want to contribute or have any suggestions regarding the project, please feel free to do so through the Github project here.