Integrate automated security and compliance scanning for mobile applications into your CI/CD pipeline. Support for PCI-DSS, OWASP, HIPAA, GDPR, and more.
Need API access?
Drop the official action into any workflow to scan APK/AAB/IPA artifacts on every PR. Posts a severity comment, gates the build on a configurable threshold, and exposes outputs for downstream steps.
The appaudix API enables automated security and compliance scanning of mobile applications. Submit Android (APK, AAB) and iOS (IPA) packages for analysis against industry-standard compliance frameworks and receive detailed vulnerability reports with remediation guidance.
https://api.appaudix.com/v1Bearer TokenAPK, AAB formats • Min SDK 21+
IPA format • iOS 12.0+
| Plan | Scans/Month | Concurrent | Requests/Min |
|---|---|---|---|
| Professional | 100 | 3 | 60 |
| Enterprise | Unlimited | 10 | 300 |
All responses use a consistent JSON structure:
{
"success": true,
"data": { ... },
"meta": {
"request_id": "req_a1b2c3d4e5f6",
"timestamp": "2025-01-15T10:30:00Z",
"version": "v2"
}
}Choose one or more frameworks to scan against. Each framework includes specialized security checks.
Payment Card Industry Data Security Standard
pci_dss87 checks
Mobile Application Security Verification Standard
owasp_masvs73 checks
Health Insurance Portability and Accountability Act
hipaa45 checks
General Data Protection Regulation
gdpr38 checks
Service Organization Control 2
soc252 checks
Vetting the Security of Mobile Applications
nist_800_16364 checks
Lei Geral de Proteção de Dados (Brazil)
lgpd42 checks
Multi-framework scanning: Combine multiple frameworks in a single scan. Results are deduplicated and findings are mapped to each applicable framework requirement.
All API requests require a valid API key passed in the Authorization header.
curl -X GET "https://api.appaudix.com/v1/scans" \
-H "Authorization: Bearer sk_live_your_api_key_here" \
-H "Content-Type: application/json"Keep your API key secure. Do not expose it in client-side code, public repositories, or logs. Rotate keys immediately if compromised.
Submit mobile applications for security analysis.
/v1/scansSubmit a new scan
| Parameter | Type | Required | Description |
|---|---|---|---|
| file | file | Yes | The APK, AAB, or IPA file to scan (max 2GB) |
| frameworks[] | string[] | No | Compliance frameworks to scan against. Default: pci_dss |
| callback_url | url | No | Webhook URL for scan completion notification |
| metadata | object | No | Custom key-value pairs (build_id, environment, etc.) |
curl -X POST "https://api.appaudix.com/v1/scans" \
-H "Authorization: Bearer sk_live_your_api_key_here" \
-F "file=@myapp.apk" \
-F "frameworks[]=pci_dss" \
-F "frameworks[]=owasp_masvs" \
-F "callback_url=https://your-server.com/webhook" \
-F "metadata[build_id]=build-1234" \
-F "metadata[environment]=staging"{
"success": true,
"data": {
"scan_id": "scan_7f3d8a2e1b4c",
"status": "queued",
"platform": "android",
"package_name": "com.example.myapp",
"version_name": "2.1.0",
"version_code": 42,
"file_size_mb": 45.2,
"frameworks": ["pci_dss", "owasp_masvs"],
"created_at": "2025-01-15T10:30:00Z",
"estimated_completion": "2025-01-15T10:45:00Z",
"links": {
"self": "https://api.appaudix.com/v1/scans/scan_7f3d8a2e1b4c",
"status": "https://api.appaudix.com/v1/scans/scan_7f3d8a2e1b4c/status",
"report": "https://api.appaudix.com/v1/scans/scan_7f3d8a2e1b4c/report"
}
}
}/v1/scansList all scans
| Parameter | Type | Required | Description |
|---|---|---|---|
| status | string | No | Filter by status: queued, analyzing, completed, failed |
| limit | integer | No | Number of results (default: 20, max: 100) |
| offset | integer | No | Pagination offset |
curl -X GET "https://api.appaudix.com/v1/scans?status=completed&limit=10" \
-H "Authorization: Bearer sk_live_your_api_key_here"Monitor the progress of running scans.
/v1/scans/{scan_id}/statusGet detailed scan status and progress
curl -X GET "https://api.appaudix.com/v1/scans/scan_7f3d8a2e1b4c/status" \
-H "Authorization: Bearer sk_live_your_api_key_here"{
"success": true,
"data": {
"scan_id": "scan_7f3d8a2e1b4c",
"status": "analyzing",
"progress": 65,
"current_phase": "static_analysis",
"phases": {
"extraction": { "status": "completed", "duration_ms": 2340 },
"manifest_analysis": { "status": "completed", "duration_ms": 890 },
"static_analysis": { "status": "in_progress", "progress": 78 },
"secret_detection": { "status": "pending" },
"crypto_analysis": { "status": "pending" },
"report_generation": { "status": "pending" }
},
"checks_completed": 54,
"checks_total": 87,
"issues_found": 12,
"started_at": "2025-01-15T10:30:15Z",
"estimated_completion": "2025-01-15T10:42:00Z"
}
}queueddownloadingextractinganalyzinggenerating_reportcompletedfailedRetrieve detailed compliance and security reports in multiple formats.
/v1/scans/{scan_id}/reportGet the full scan report
format=jsonMachine-readable JSON with full findings, compliance status, and remediation guidance.
format=pdfProfessional PDF report for auditors, executives, and compliance submissions.
format=htmlInteractive HTML report for browser viewing and portal embedding.
format=sarifEnterpriseSARIF 2.1.0 for GitHub/GitLab Security integration. Enables native code scanning alerts.
| Parameter | Type | Required | Description |
|---|---|---|---|
| format | string | No | Response format: json (default), pdf, html, sarif (Enterprise only) |
| include | string[] | No | Sections to include: summary, findings, compliance, evidence |
curl -X GET "https://api.appaudix.com/v1/scans/scan_7f3d8a2e1b4c/report" \
-H "Authorization: Bearer sk_live_your_api_key_here" \
-H "Accept: application/json"curl -X GET "https://api.appaudix.com/v1/scans/scan_7f3d8a2e1b4c/report?format=pdf" \
-H "Authorization: Bearer sk_live_your_api_key_here" \
-o "compliance-report.pdf"Static Analysis Results Interchange Format for CI/CD integration
SARIF (Static Analysis Results Interchange Format) is the industry standard for security tool integration. Upload appaudix scan results directly to GitHub Code Scanning, GitLab Security Dashboard, or Azure DevOps.
# Download SARIF report (Enterprise only)
curl -X GET "https://api.appaudix.com/v1/scans/scan_7f3d8a2e1b4c/report?format=sarif" \
-H "Authorization: Bearer sk_live_your_api_key_here" \
-o "scan-results.sarif.json"# Upload SARIF to GitHub Code Scanning
gh api /repos/{owner}/{repo}/code-scanning/sarifs \
-F sarif=@scan-results.sarif.json \
-F ref=refs/heads/main \
-F commit_sha=$(git rev-parse HEAD){
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [{
"tool": {
"driver": {
"name": "appaudix",
"version": "25.12.2",
"rules": [
{
"id": "PCI-DSS-3.4.1",
"name": "EncryptStoredPAN",
"shortDescription": { "text": "PAN must be encrypted at rest" },
"properties": { "security-severity": "9.0" }
}
]
}
},
"results": [
{
"ruleId": "PCI-DSS-3.4.1",
"level": "error",
"message": { "text": "Hardcoded encryption key detected" },
"locations": [{
"physicalLocation": {
"artifactLocation": { "uri": "com/example/CryptoHelper.java" },
"region": { "startLine": 42 }
}
}]
}
]
}]
}Pro users: SARIF format requires an Enterprise subscription. Upgrade to enable GitHub/GitLab Security integration.
{
"success": true,
"data": {
"scan_id": "scan_7f3d8a2e1b4c",
"app": {
"package_name": "com.example.myapp",
"version": "2.1.0",
"platform": "android",
"min_sdk": 24,
"target_sdk": 34
},
"summary": {
"risk_score": 72,
"risk_level": "medium",
"total_findings": 23,
"critical": 2,
"high": 5,
"medium": 9,
"low": 7,
"passed_checks": 64,
"failed_checks": 23
},
"compliance": {
"pci_dss": {
"compliant": false,
"score": 78,
"passed": 68,
"failed": 19,
"requirements": {
"3.2": { "status": "failed", "findings": 2 },
"3.4": { "status": "passed" },
"4.2": { "status": "failed", "findings": 1 },
"6.5": { "status": "passed" }
}
},
"owasp_masvs": {
"compliant": false,
"score": 82,
"passed": 60,
"failed": 13
}
},
"findings": [
{
"id": "finding_a1b2c3",
"check_id": "SECRETS_001",
"title": "Hardcoded API Key Detected",
"severity": "critical",
"framework": "pci_dss",
"requirement": "3.2",
"location": {
"file": "com/example/api/Config.smali",
"line": 142,
"class": "com.example.api.Config"
},
"description": "A hardcoded API key was found in the application code.",
"evidence": "api_key = \"sk_live_4eC39H...truncated...\"",
"remediation": "Store API keys securely using Android Keystore or encrypted SharedPreferences. Never hardcode secrets in source code.",
"references": [
"https://owasp.org/MASVS/controls/MASVS-STORAGE-1/"
],
"cwe": "CWE-798"
}
],
"scan_metadata": {
"duration_seconds": 847,
"completed_at": "2025-01-15T10:44:07Z",
"scanner_version": "2.4.1"
}
}
}Receive real-time notifications when scans complete. Perfect for CI/CD integration.
/v1/webhooksConfigure a webhook endpoint
curl -X POST "https://api.appaudix.com/v1/webhooks" \
-H "Authorization: Bearer sk_live_your_api_key_here" \
-H "Content-Type: application/json" \
-d '{
"url": "https://your-server.com/appscan-webhook",
"events": ["scan.completed", "scan.failed"],
"secret": "your_webhook_secret"
}'scan.queuedScan has been queued for processingscan.startedAnalysis has begunscan.completedScan finished successfullyscan.failedScan encountered an error// Your server receives POST requests when scans complete
// Headers:
// X-Appaudix-Signature: sha256=a1b2c3d4e5f6...
// X-Appaudix-Event: scan.completed
// Content-Type: application/json
{
"event": "scan.completed",
"timestamp": "2025-01-15T10:44:07Z",
"data": {
"scan_id": "scan_7f3d8a2e1b4c",
"status": "completed",
"risk_level": "medium",
"risk_score": 72,
"findings": {
"critical": 2,
"high": 5,
"medium": 9,
"low": 7
},
"compliance": {
"pci_dss": { "compliant": false, "score": 78 },
"owasp_masvs": { "compliant": false, "score": 82 }
},
"report_url": "https://api.appaudix.com/v1/scans/scan_7f3d8a2e1b4c/report"
}
}Each webhook includes an X-appaudix-Signature header containing an HMAC-SHA256 signature of the payload using your webhook secret. Always verify this signature before processing webhook data.
The API uses standard HTTP status codes and returns detailed error information.
{
"success": false,
"error": {
"code": "VALIDATION_ERROR",
"message": "Invalid file format",
"details": {
"field": "file",
"reason": "Expected .apk, .aab, or .ipa file"
}
},
"meta": {
"request_id": "req_x9y8z7w6v5u4",
"timestamp": "2025-01-15T10:30:00Z"
}
}| Code | HTTP | Description |
|---|---|---|
| UNAUTHORIZED | 401 | Invalid or missing API key |
| FORBIDDEN | 403 | API key does not have permission for this action |
| NOT_FOUND | 404 | Resource not found |
| VALIDATION_ERROR | 400 | Invalid request parameters |
| FILE_TOO_LARGE | 413 | Uploaded file exceeds size limit (2GB max) |
| UNSUPPORTED_FORMAT | 415 | File type not supported |
| QUOTA_EXCEEDED | 429 | Monthly scan quota exceeded |
| RATE_LIMITED | 429 | Too many requests, slow down |
| SCAN_FAILED | 500 | Scan failed due to internal error |
Official libraries and integrations for popular platforms.
Export scan results in SARIF format and upload directly to GitHub Code Scanning. See security alerts in pull requests and track remediation in the Security tab.
Scan apps in your CI workflow + SARIF upload
Native GitLab CI/CD + Security Dashboard
Integrate with Jenkins pipelines
pip install appaudix
npm install @appaudix/sdk
Cross-platform command line tool
Contact our team to get API access and integrate automated security scanning into your development workflow.
We use necessary storage for security and login. With your permission, we also use analytics to understand page journeys and marketing pixels to measure ad campaigns.