Checks CI/CD setup

Prerequisites for CI/CD

To configure Checks to run in a pipeline, retrieve key configuration inputs from your Checks account and Google Cloud project.

Target Checks account and app

When you run Checks in your CI/CD platform, you will need to assign the results to a Checks account and an app that you've connected to that Checks account. To do this, you'll need the Checks Account ID and App ID.

For your Account ID, visit your Account Settings page.

For your App ID, visit your App Settings page.

Authentication

A service account should be used when using Checks in an automation setup, such as CI/CD. For more information on how to create and configure a service account, see Authenticate the CLI.

It is recommended to use CI environment variables to configure your JSON key. For example:

CHECKS_CREDENTIALS=/my/path/to/serviceaccount.json

Configure Checks to run in a CI/CD pipeline

Checks supports the following approaches:

• Checks CI/CD plugins: Checks provides prebuilt plugins for several CI/CD platforms, including GitHub and fastlane. See the side navigation for more.
• Checks CLI: Teams with more complex workflows, or using a build system without a Checks prebuilt plugin, can use the Checks CLI in their CI/CD pipeline. See Setting up using Checks CLI and Universal setup using Checks CLI for details.
• Checks API: For teams with highly customized workflows, Checks offers a robust REST API. Use it to initiate scans, retrieve reports, and tailor the experience to your unique requirements. Find more information in the Checks API documentation.

To learn more about configuring your CI/CD pipeline, elect one of the following implementation options:

Universal CI/CD setup GitHub Actions Fastlane Jenkins

Jenkins

The example shows a possible Jenkins integration for Checks CLI.

Prerequisites

• Set CHECKS_CREDENTIALS environment and point it to the service account credentials.
• Add the Pipeline Utility Steps plugin to your Jenkins server add support for interpreting JSON strings (e.g. readJSON function).

Example

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                echo 'Building APK ...'
                sh 'build-apk-cmd'
            }
        }
        stage('Checks Analysis') {
            steps {
                script {
                    ACCOUNT_ID = "123456"
                    APP_ID = "654321"
                    BINARY_PATH = "${WORKSPACE}/path/to/binary.apk"

                    echo 'Starting Checks Analysis ...'

                    sh "./checks report generate --binary-path=${BINARY_PATH} --app-id=${APP_ID} --account-id=${ACCOUNT_ID} --no-input --json  --wait-and-print-report > checks_results.json"

                    echo "Wrote Checks analysis results to checks_results.json"

                    def report = readJSON file: "${WORKSPACE}/checks_results.json"

                    echo "Generated report name: ${report.name}"
                    echo "Report console URL: ${report.resultsUri}"

                    def failingChecks = []
                    for (check in report.checks) {
                        if (check.severity.toString() == "PRIORITY" && check.state.toString() == "FAILED") {
                            failingChecks.push(check)
                        }
                    }

                    if (failingChecks.size() > 0) {
                        echo "${failingChecks.size()} priority issue(s) detected: "
                        for (check in failingChecks) {
                            echo "Type: ${check.type}. Details: ${check}"
                        }
                        error('Failing build because Checks detected at least one priority issue.')
                    }
                }
            }
        }
    }
    post {
        failure {
            echo "Pipeline failed :("
        }
    }
}

Feedback

Do you have a CI/CD workflow that you'd like to see added to this guide? Let us know at checks-support@google.com.