Now Available: Integrate Mobile App Scans into CI/CD Pipeline Using GitHub Actions

Share this blog

These days developers are incentivized to build mobile app features faster than ever, which frequently leads to releasing vulnerable code. Mobile application security testing (MAST) tools are by far the most frequently used to find and fix vulnerable code, according to a recent survey we conducted of 270 security and IT decision makers (Figure 1). zScan, Zimperium’s mobile app security testing solution, helps mobile app developers identify reputation and financial risks by automatically identifying privacy, security, and compliance risks in the development process before apps are released to the public.

How do you validate that security measures put in place are working against attacks in the real world?

The action takes an iOS or Android binary, runs it through zScan, and returns a set of prioritized findings within minutes. Each risk finding includes the vulnerable code snippet, a description of the risk, business impact, and remediation guidance. This new GitHub action will enable more zScan users to seamlessly integrate mobile app security testing into their workflows.

“The only way to embrace security-by-design within large enterprises is to build security champions within development teams,” said Jon Paterson, CTO, Zimperium. “As mobile becomes an increasingly important part of every enterprise, Zimperium takes pride in giving developers the tools they need to be that security champion. Our partnership with GitHub will help more developers make security a priority by making it easy to find and fix the most critical issues while balancing development velocity .”

How to Use zScan with GitHub Actions

Within your GitHub repo, Zimperium zScan can now be chosen as the scanning tool of choice while setting up Code Scanning under Security.

Developers can view all the findings directly within GitHub’s Advanced Security (GHAS) code scanning alerts interface, as shown below.

githubs advanced security code scanning alerts interface
GitHub’s Advanced Security (GHAS) Code Scanning Alerts Interface

Each finding, when clicked on, contains a detailed description, business impact, and recommendations to help quickly remediate the risk. 

GitHub's Advanced Security (GHAS) Risk Remediation
GitHub’s Advanced Security (GHAS) Risk Remediation

The scans can be triggered on every merge and pull request to give developers immediate security feedback. The scans are quick, comprehensive, and mobile-focused. 

The zScan action is available to zScan customers in the GitHub marketplace beginning today. To get access to the zScan action, Zimperium customers should contact their Customer Support Manager.

If you are interested in learning about zScan or becoming a customer, please contact us today.

Avatar photo
Mobile App Security Expert. View the author's experience and accomplishments on LinkedIn.

Get started with Zimperium today