NexusIQ scan for Android


We’re using Nexus Platform Plugin in Jenkins to carry out Android scan vulnerabilities.
I’m looking for how NexusIq will be scanning Android application?
I tried to apply the parameter scanPattern as [*.apk] file, but it is not get scanning.

e.g We’re executing following pipeline script in Jenkins

nexusPolicyEvaluation iqApplication: ‘ApplicationID’, iqStage: ‘build’, iqScanPatterns: [scanPattern: ‘**/*.apk’]

Any thoughts?


Check out this post from @fcremer for information about scanning Android with IQ server.

Thanks for the workaround. It works.:+1:
We are able to scan the Android vulnerabilities

Any thoughts, if it available with Nexus Platform Plugin itself?

Recently I had the requirement to perform IQ scan on an android package and the above instructions do not work with the latest version of Android. This is confirmed by the Sonatype support team as well. I’ll walk you through the steps that worked for me:


  • Dependency and build tool: Gradle
  • Build pipeline: Gitlab CI
  • Android SDK version: 29


  1. Generate an SBOM from the apk file
  2. Upload SBOM to Sonatype lifecycle to get reporting into the platform
  3. Validate violation response to use as a build action


  1. Add the following to build.gradle.

cyclonedx 1.7.x did not work for me.

plugins {
    id  '' version '1.6.1'

cyclonedxBom {
    skipConfigs += [
    destination = file("app/build/reports")
  1. Add the following to gitlab-ci.yml file to generate a SBOM file
  stage: build
  # Packages installation before running script
    - chmod +x ./gradlew
    - ./gradlew cyclonedxBom
      - app/build/reports/bom.xml
  1. In gitlab-ci.yml,
    • Upload SBOM using Sonatype Rest API to the Sonatype platform
    • Wait for few seconds
    • Validate response
    • Fail build if there is a policy violation
    • Replace IQ_URL and APP_ID
  stage: security-scan
    IQ_URL: 'https://IQ_URL/api/v2/scan/applications/$APPLICATION_INTERNAL_ID/sources/cyclone'
    SCAN_CURL_COMMAND: "curl -k -X POST -H 'Content-Type: application/xml' -u ${iq_user}:${iq_pass} -d @app/build/reports/bom.xml $IQ_URL"
    - |
     apt-get update && apt-get install jq -y
     STATUS_URL=$(eval "$SCAN_CURL_COMMAND" | grep statusUrl | cut -d ":" -f2 | cut -d "}" -f1 | cut -d '"' -f2)
     sleep 30
     CHECK_STATUS_OUTPUT=$(curl -k -X GET -H 'Content-Type: application/json' -u ${iq_user}:${iq_pass} "https://IQ_URL/$STATUS_URL")
     SCAN_RESULT=$(echo $CHECK_STATUS_OUTPUT | jq -r '.policyAction')
     REPORT_URI=$(echo $CHECK_STATUS_OUTPUT | jq -r '.reportHtmlUrl')
     echo "Report: https://IQ_URL/$REPORT_URI"

     if [ "$SCAN_RESULT" = "Failure" ]; then
      echo "Scan result: $SCAN_RESULT"
      exit 1
1 Like