Skip to content

GitLab CI template for MobSF

This project implements a generic GitLab CI template for MobSF.

MobSF is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.


In order to include this template in your project, add the following to your gitlab-ci.yml:

  - project: 'to-be-continuous/mobsf'
    ref: '1.0.1'
    file: '/templates/gitlab-ci-mobsf.yml'

Global configuration

The MobSF template uses some global configuration used throughout all jobs.

Name description default value
MOBSF_CLIENT_IMAGE The Docker image used to send requests to the MobSF server kekel87/alpine-curl-jq-bash-coreutils:latest
MOBSF_SERVER_URL URL of MobSF server (none)
🔒 MOBSF_API_KEY API key of the MobSF server (none)


mobsf-app-scan job

This job uploads the packaged mobile application (APK or IPA) to the MobSF server, requests a scan and gets the report.

It is bound to the package-test stage, and uses the following variables:

Name description default value
MOBSF_APP_FILE Application package file (APK or IPA) (none)

Secrets management

Here are some advices about your secrets (variables marked with a 🔒):

  1. Manage them as project or group CI/CD variables:
    • masked to prevent them from being inadvertently displayed in your job logs,
    • protected if you want to secure some secrets you don't want everyone in the project to have access to (for instance production secrets).
  2. In case a secret contains characters that prevent it from being masked, simply define its value as the Base64 encoded value prefixed with @b64@: it will then be possible to mask it and the template will automatically decode it prior to using it.
  3. Don't forget to escape special characters (ex: $ -> $$).