The Zimperium zShield Pro GitHub Action protects your mobile application binary (Android APK/AAB or iOS IPA) using zShield Pro.
It applies advanced security hardening techniques—such as encryption and runtime protections—and downloads the protected build for further use in your CI/CD pipeline.
- Protect Android and iOS mobile app binaries using zShield Pro
- Apply encryption and runtime protection policies automatically
- Resolve team and policy group by name (no UUIDs required)
- Support for team-scoped and global policy groups
- Download the protected application artifact for:
- Re-signing
- Distribution
- Additional scanning (e.g., zScan)
- Designed for CI/CD automation
- Mirrors the behavior and usability of the zScan Marketplace action
You must provide the full base URL of your Zimperium tenant using console_url.
Examples:
https://zc202.zimperium.comhttps://ziap.zimperium.comhttps://mtd.example.com
Do not include a trailing slash.
- name: Protect App with zShield Pro
uses: zimperium/zshield-pro-action@v0.1.0
timeout-minutes: 60
with:
console_url: https://ziap.zimperium.com
client_id: ${{ vars.Z_CLIENT_ID }}
client_secret: ${{ secrets.Z_CLIENT_SECRET }}
app_file: ./app-release.apk
team_name: Apps
group_name: Default GroupThe protected app is downloaded to the GitHub Actions workspace and exposed as an output.
| Output | Description |
|---|---|
build_id |
zShield Pro build identifier |
protected_file |
Path to the downloaded protected application |
You can upload the protected artifact using actions/upload-artifact:
- name: Upload protected app
uses: actions/upload-artifact@v4
with:
name: protected-app
path: ${{ steps.zshield.outputs.protected_file }}- This action must run on an ubuntu-latest GitHub Actions runner
- No GitHub Advanced Security (GHAS) license is required
- For Android:
- The protected APK must be re-signed before installation or distribution
- Log in to the zConsole.
- Click the Account Management gear icon.
- Select Authorizations.
- Click Generate API Key.
- Enter a description.
- Grant required permissions for zShield Pro.
- Save and copy:
- Client ID
- Client Secret
- In your GitHub repository, go to Settings.
- Navigate to Secrets and Variables → Actions.
- Add:
Z_CLIENT_ID(repository variable)Z_CLIENT_SECRET(repository secret)
For more details, see the
GitHub Secrets documentation.
- Create or edit a workflow in
.github/workflows/. - Add the zShield Pro action step.
- Point
app_fileto your built mobile application. - Commit and run the workflow.
If no protection policy is provided, the action applies a default CI-safe policy, equivalent to:
{
"description": "CI zShield Pro protection",
"signatureVerification": false,
"staticDexEncryption": true,
"resourceEncryption": true,
"metadataEncryption": true,
"codeObfuscation": false,
"runtimeProtection": true,
"autoScanBuild": true
}This default is suitable for most CI and demo workflows.
You may override the default policy inline using app_protection_request:
- name: Protect with zShield Pro
uses: zimperium/zshield-pro-action@v0.1.0
with:
console_url: https://zc202.zimperium.com
client_id: ${{ vars.Z_CLIENT_ID }}
client_secret: ${{ secrets.Z_CLIENT_SECRET }}
app_file: app-release.apk
team_name: Apps
group_name: Default Group
app_protection_request: |
{
"description": "Demo CI policy",
"runtimeProtection": true,
"autoScanBuild": true
}Inline JSON is ideal for demos and quick experimentation.
For larger or platform-specific policies, use a file:
- name: Protect with zShield Pro
uses: zimperium/zshield-pro-action@v0.1.0
with:
console_url: https://zc202.zimperium.com
client_id: ${{ vars.Z_CLIENT_ID }}
client_secret: ${{ secrets.Z_CLIENT_SECRET }}
app_file: app-release.apk
team_name: Apps
group_name: Default Group
app_protection_request_file: .github/zshield-policy.jsonThis approach is recommended for production pipelines and complex configurations.
Protection policies are applied using the following order:
app_protection_request(inline JSON)app_protection_request_file- Built-in default policy
Policy groups are resolved deterministically:
- A team-scoped group matching
group_nameis selected first. - Otherwise, a global group with the same name is selected.
- If multiple matches exist, the action fails with a clear error.
- If no match is found, the action fails.
This ensures safe and predictable policy application.
You can add this action to any existing build pipeline after your mobile app is built:
- name: Build Android App
run: ./gradlew assembleRelease
- name: Protect with zShield Pro
uses: zimperium/zshield-pro-action@v0.1.0
with:
console_url: https://zc202.zimperium.com
client_id: ${{ vars.Z_CLIENT_ID }}
client_secret: ${{ secrets.Z_CLIENT_SECRET }}
app_file: app/build/outputs/apk/release/app-release.apk
team_name: Apps
group_name: Default GroupPlease file issues in the repository where this action is hosted. Include:
- The workflow snippet
- The error message
- The expected behavior
Suggestions and enhancements are welcome.
This action is licensed under the MIT License, consistent with other Zimperium Marketplace actions.
MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
...
Improvements and pull requests are welcome.
This action is intentionally designed to evolve alongside the zShield Pro API.