Developer Docs

Build with AppAudix

CLI for local and CI/CD workflows. REST API for custom integrations.

Quick Start

Install the CLI, authenticate with your API key, and scan your first app in under a minute.

bash
# 1. Install
npm install -g @appaudix/cli

# 2. Authenticate (get your key from appaudix.com/profile)
appaudix login --key sk_live_xxxxxxxxxxxx

# 3. Scan
appaudix scan MyApp.apk --frameworks pci_dss

Installation

Requires Node.js 18+ and npm.

bash
npm install -g @appaudix/cli

Verify the install:

bash
appaudix --version

Supported file types: .apk (Android), .aab (Android App Bundle), .ipa (iOS)

Authentication

The CLI authenticates using an API key generated from your Profile page. API keys are available on Pro and Enterprise plans.

Interactive login

bash
appaudix login

Non-interactive (scripts / CI)

bash
appaudix login --key sk_live_xxxxxxxxxxxx

The key is saved to ~/.appaudix/config.json with mode 0600. You can also set the environment variable to skip the config file entirely:

bash
export APPAUDIX_API_KEY=sk_live_xxxxxxxxxxxx

The env var takes precedence over the saved key.

Logout

bash
appaudix logout

appaudix scan

Upload an app and wait for results. Polls every 4 seconds until complete.

bash
appaudix scan <file> [options]

Options

-f, --frameworks <list>Comma-separated compliance frameworks (max 2). Default: pci_dss
--no-waitSubmit and exit immediately without polling for results
--fail-on <severity>Exit with code 1 if any findings at or above this severity (critical | high | medium | low)
-o, --output <format>Output format: text (default) or json
--webhook <url>HTTPS URL to receive a completion notification
--callback-id <id>Custom ID returned in the webhook payload

Examples

bash
# Basic scan
appaudix scan MyApp.apk

# Two frameworks
appaudix scan MyApp.apk --frameworks pci_dss,owasp_masvs

# JSON output (for piping / scripting)
appaudix scan MyApp.apk --output json | jq '.results'

# CI/CD: fail the build if any HIGH or above finding
appaudix scan MyApp.apk --fail-on high

# Submit without waiting (fire and forget)
appaudix scan MyApp.apk --no-wait

# With webhook callback
appaudix scan MyApp.apk --webhook https://ci.example.com/hook --callback-id build-1234

Supported frameworks

pci_dssPCI-DSS 4.0.1
owasp_masvsOWASP MASVS
hipaaHIPAA
gdprGDPR
soc2SOC 2 Type II
nist_800_163NIST SP 800-163
lgpdLGPD (Brazil)

appaudix scans

List recent scans or inspect / cancel a specific scan.

bash
appaudix scans [scan_id] [options]

Options

-l, --limit <n>Number of scans to show (default: 20)
-s, --status <status>Filter by status: queued | scanning | completed | error | cancelled
-o, --output <format>Output format: text (default) or json
--cancelCancel the specified scan (requires a scan_id)

Examples

bash
# List last 20 scans
appaudix scans

# List last 50 completed scans
appaudix scans --limit 50 --status completed

# Inspect a specific scan
appaudix scans b8afcd12-8628-45ef-a953-5f34fbc067e0

# Cancel a running scan
appaudix scans b8afcd12-8628-45ef-a953-5f34fbc067e0 --cancel

# Machine-readable output
appaudix scans --output json

appaudix report

Download the full report for a completed scan.

bash
appaudix report <scan_id> [options]

Options

--format <fmt>Report format: json (default) | pdf | html | sarif
-o, --output <filename>Save to file instead of stdout

Examples

bash
# JSON report to stdout
appaudix report b8afcd12-8628-45ef-a953-5f34fbc067e0

# PDF report saved to file
appaudix report b8afcd12-8628-45ef-a953-5f34fbc067e0 --format pdf --output report.pdf

# HTML report
appaudix report b8afcd12-8628-45ef-a953-5f34fbc067e0 --format html --output report.html

# SARIF for GitHub Code Scanning (Pro+)
appaudix report b8afcd12-8628-45ef-a953-5f34fbc067e0 --format sarif --output results.sarif.json

CI/CD Integration

Use --fail-on to gate deployments on security findings. Store your API key as a secret in your CI provider.

GitHub Actions

yaml
# .github/workflows/security-scan.yml
name: Security Scan

on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install AppAudix CLI
        run: npm install -g @appaudix/cli

      - name: Scan app
        env:
          APPAUDIX_API_KEY: ${{ secrets.APPAUDIX_API_KEY }}
        run: |
          appaudix scan app/build/outputs/apk/release/app-release.apk \
            --frameworks pci_dss,owasp_masvs \
            --fail-on high \
            --output json > scan-results.json

      - name: Upload scan results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: security-scan
          path: scan-results.json

GitLab CI

yaml
# .gitlab-ci.yml
security-scan:
  image: node:20
  stage: test
  script:
    - npm install -g @appaudix/cli
    - appaudix scan app-release.apk --frameworks pci_dss --fail-on high
  variables:
    APPAUDIX_API_KEY: $APPAUDIX_API_KEY  # set in GitLab CI/CD variables

Bitbucket Pipelines

yaml
# bitbucket-pipelines.yml
pipelines:
  default:
    - step:
        name: Security Scan
        image: node:20
        script:
          - npm install -g @appaudix/cli
          - appaudix scan app-release.apk --fail-on high
        after-script:
          - appaudix report $(cat scan_id.txt) --format pdf --output security-report.pdf

Exit Codes

CodeMeaning
0Success — scan completed, no findings at or above --fail-on threshold
1Findings found at or above the --fail-on severity threshold
1Scan error (upload failed, auth error, scan failed)

Cookie preferences

We use necessary storage for security and login. With your permission, we also use analytics to understand page journeys and marketing pixels to measure ad campaigns.