1. Resources
  2. /
  3. Plugins
  4. /
  5. data-theorem-mobile-secure-buildkite-plugin

Data Theorem Mobile Secure BuildKite Plugin

Data Theorem’s Mobile Secure will scan each pre-production release automatically (up to 7000 releases/day) for security & privacy issues using static, dynamic, and behavioral analysis for both iOS and Android applications.

More information can be found here:
https://www.datatheorem.com/products/mobile-secure

Examples

Basic Example

Add the following to your pipeline.yml:

steps:
  - label: "Build Mobile App Binary"
    # replace this step with your own logic to build the pre-prod mobile binary that you want to scan
    command: "echo 'Example mobile binary build step...'"

  - label: "Upload Mobile App Binary to Data Theorem for scanning"
    plugins:
      - datatheorem/data-theorem-mobile-secure:
          UPLOAD_API_KEY: $(buildkite-agent secret get DT_UPLOAD_API_KEY)
          BINARY_PATH: "app-debug.apk" # path to the pre-prod mobile binary built in the previous step

Example with optional SOURCEMAP_PATH:

An optional Java mapping.txt file for deobfuscating Android binaries.

steps:
  - label: "Build Mobile App Binary"
    # replace this step with your own logic to build the pre-prod mobile binary that you want to scan
    command: "echo 'Example mobile binary build step...'"

  - label: "Upload Mobile App Binary to Data Theorem for scanning"
    plugins:
      - datatheorem/data-theorem-mobile-secure:
          UPLOAD_API_KEY: $(buildkite-agent secret get DT_UPLOAD_API_KEY)
          BINARY_PATH: "app-debug.apk" # path to the pre-prod mobile binary built in the previous step
          SOURCEMAP_PATH: "mapping.txt" # path to mapping.txt

Example with scan result polling

Optionally, you can configure the plugin to wait for the scan to complete and print out the number of new security findings. To do this, add the extra flag POLL_SCAN_RESULTS: true This mode will also require to set up a Data Theorem Mobile Results API Key It can be retrieved or created at DevSecOps -> Data Theorem Results API And set it as a secret accessible to your BuildKite pipeline.

steps:
  - label: "Build Mobile App Binary"
    # replace this step with your own logic to build the pre-prod mobile binary that you want to scan
    command: "echo 'Example mobile binary build step...'"

  - label: "Upload Mobile App Binary to Data Theorem for scanning"
    plugins:
      - datatheorem/data-theorem-mobile-secure:
          UPLOAD_API_KEY: $(buildkite-agent secret get DT_UPLOAD_API_KEY)
          BINARY_PATH: "app-debug.apk" # path to the pre-prod mobile binary built in the previous step
          POLL_SCAN_RESULTS: true
          MOBILE_RESULTS_API_KEY: $(buildkite-agent secret get DT_MOBILE_RESULTS_API_KEY)

The plugin’s logs should look like this for a successful scan with no discovered security issues

Example with vulnerability blocking

The plugin supports automatic build blocking based on security findings. When BLOCK_ON_SEVERITY is specified, the plugin will automatically enable polling and block the build if any vulnerabilities are found at or above the specified severity level.

steps:
  - label: "Build Mobile App Binary"
    # replace this step with your own logic to build the pre-prod mobile binary that you want to scan
    command: "echo 'Example mobile binary build step...'"

  - label: "Upload Mobile App Binary to Data Theorem for scanning"
    plugins:
      - datatheorem/data-theorem-mobile-secure:
          UPLOAD_API_KEY: $(buildkite-agent secret get DT_UPLOAD_API_KEY)
          BINARY_PATH: "app-debug.apk" # path to the pre-prod mobile binary built in the previous step
          BLOCK_ON_SEVERITY: "HIGH" # Block build on HIGH severity vulnerabilities
          MOBILE_RESULTS_API_KEY: $(buildkite-agent secret get DT_MOBILE_RESULTS_API_KEY)

Vulnerability Blocking

The plugin supports automatic build blocking based on security findings. When BLOCK_ON_SEVERITY is specified, the plugin will:

  1. Wait for the scan to complete (up to 5 minutes)
  2. Check for security findings at or above the specified severity level
  3. Block the build if any vulnerabilities are found at the minimum severity threshold

Important: Vulnerability blocking requires a separate MOBILE_RESULTS_API_KEY with results access permissions.

Severity Levels

  • HIGH: Block on high severity vulnerabilities only
  • MEDIUM: Block on medium and high severity vulnerabilities
  • LOW: Block on all severity vulnerabilities (low, medium, high)

Configuration

UPLOAD_API_KEY (Required, string)

API Key you can retrieve in the Data theorem Portal DevSecOps -> Scan via CI/CD

Hard-coding the raw value of the API key is not recommended for security reasons. We recommend using BuildKite Secrets

  • On your agent cluster, define a secret named DT_UPLOAD_API_KEY and set the value to what you have retrieved from the Data Theorem Portal
  • In the BuildKite pipeline definition, you can pass the API Key as UPLOAD_API_KEY: $(buildkite-agent secret get DT_UPLOAD_API_KEY) in the plugin’s inputs

BINARY_PATH (Required, string)

Path to the mobile binary (APK, IPA, APPX or XAP) to be scanned.

SOURCEMAP_PATH (Optional, string)

An optional path to a Java mapping.txt file for deobfuscating Android binaries. Note: Once deobfuscation is enabled for PRE_PROD or ENTERPRISE Android app, future uploads of the same app will also require a mapping file. See How To Enable De-obfuscation of Android Scan Results Using A Mapping File for more information.

POLL_SCAN_RESULTS (Optional, boolean)

When set to true, the plugin will poll for the scan’s status until completion and print if the scan has found any new issues This requires a Data Theorem Mobile Results API Key to be set (see below)

MOBILE_RESULTS_API_KEY (Optional, string)

API Key you can retrieve in the Data theorem Portal DevSecOps -> Data Theorem Results API This is only required if you want to poll for scan results instead of exiting after starting the scan.

Hard-coding the raw value of the API key is not recommended for security reasons. We recommend using BuildKite Secrets

  • On your agent cluster, define a secret named DT_MOBILE_RESULTS_API_KEY and set the value to what you have retrieved from the Data Theorem Portal
  • In the BuildKite pipeline definition, you can pass the API Key as MOBILE_RESULTS_API_KEY: $(buildkite-agent secret get DT_MOBILE_RESULTS_API_KEY) in the plugin’s inputs

BLOCK_ON_SEVERITY (Optional, string)

Block the build if vulnerabilities are found at or above the specified severity level. When set, the plugin will automatically enable polling and require MOBILE_RESULTS_API_KEY.

Supported values:

  • HIGH: Block on high severity vulnerabilities only
  • MEDIUM: Block on medium and high severity vulnerabilities
  • LOW: Block on all severity vulnerabilities (low, medium, high)

It should look like this in your Buildkite agent secret settings

Contributing

Running Tests

To test the plugin, use the Buildkite plugin tester:

docker run -it --rm -v "$PWD:/plugin:ro" buildkite/plugin-tester

Recommended plugins

Trivy

Trivy Security Scanning.

equinixmetal-buildkite equinixmetal-buildkite

Terraform-OPA

Runs Open Policy Agent against Terraform plans.

echoboomer echoboomer

sonarscanner

Run sonar-scanner.

wayfair-incubator wayfair-incubator

The plugins listed on this webpage are provided for informational purposes only. They have not undergone any formal security review or assessment. While we strive to provide useful resources, we cannot guarantee the safety, reliability, or integrity of these plugins. Users are strongly advised to conduct their own security evaluations before downloading, installing, or using any plugin. By using these plugins, you acknowledge and accept any risks associated with their use. We disclaim any liability for any harm or damages arising from the use of the plugins listed.

Start turning complexity into an advantage

Create an account to get started with a 30-day free trial. No credit card required.

Get started View pricing
Buildkite Pipelines

Platform

  1. Pipelines
  2. Pipeline templates
  3. Public pipelines
  4. Test Engine
  5. Package Registries
  6. Mobile Delivery Cloud
  7. Pricing

Hosting options

  1. Self-hosted agents
  2. Mac hosted agents
  3. Linux hosted agents

Resources

  1. Docs
  2. Blog
  3. Changelog
  4. Webinars
  5. Plugins
  6. Case studies
  7. Events
  8. Migration Services
  9. Comparisons

Company

  1. About
  2. Careers
  3. Press
  4. Brand assets
  5. Contact

Solutions

  1. Replace Jenkins
  2. Workflows for AI/ML
  3. Testing at scale
  4. Monorepo mojo
  5. Bazel orchestration

Legal

  1. Terms of Service
  2. Acceptable Use Policy
  3. Privacy Policy
  4. Subprocessors
  5. Service Level Agreement

Support

  1. System status
  2. Forum
© Buildkite Pty Ltd 2025