CI/CD Business Security Compliance Detection: Challenges, Improvements, and Benefits

Background: With rapid internet development and stricter privacy regulations worldwide, mobile applications face increasing risks of privacy and compliance issues after release.

Technical background: Business security checks are integrated into CI (Continuous Integration) and CD (Continuous Delivery) stages, blocking code merges or releases when risks are detected.

Current status and challenges: Existing CI checks on compiled intermediate artifacts (using Gradle transform and ASM) cannot cover source code, making license compliance difficult; locating issues is costly due to loss of original source information; CD artifact scans based on smali files miss indirect call chains.

Improvements: Implemented CI incremental source code detection by extracting changed files via git diff, handling component paths precisely, and scanning added/updated source for security rules; introduced BDAnalysis engine to build call graphs from Dex, enabling full call‑chain analysis and reducing Android artifact scan time from ~175 s to ~33 s.

Benefits: The new approach covers both Android and iOS source code, provides automatic precise issue localization and aggregation, improves detection efficiency, and lowers scanning latency while supporting license compliance and open‑source security checks.

Future work: Build metrics for detection effectiveness, integrate CI/CD data, enhance BDAnalysis for more scenarios, and continue to protect ByteDance’s mobile products.