Jscrambler Integration with GitHub CI/CD

This section describes how to integrate Jscrambler Code Integrity into your existing GitHub workflows to automate your code protection process.

The easiest way to integrate with GitHub workflows is to use the Jscrambler Code Integrity action. This action allows you to protect a given list of files.

Getting started with Jscrambler configuration

First, if you haven't yet experienced Jscrambler's dashboard, we suggest you follow our Getting Started guide which will walk you through all the functionalities that we make available for our users.

For a quick setup, take a look at the Jscrambler 101 - First Use blog post that covers Jscrambler basic usage.

Jscrambler configuration file

If you are familiar with Jscrambler, you just need to download "No Secrets" Jscrambler's configuration file for the application you want to protect. If you don't know how to do this, please consult the following link.

A Jscrambler configuration file should look like this:

{
  "parameters": [
    {
        "status": 1,
        "name": "objectPropertiesSparsing"
    },
    {
        "status": 1,
        "name": "whitespaceRemoval"
    },
    {
        "status": 1,
        "name": "regexObfuscation"
    },
    {
        "status": 1,
        "options": {
            "features": [
                "opaqueSteps"
            ]
        },
        "name": "controlFlowFlattening"
    },
    {
        "status": 1,
        "name": "booleanToAnything"
    },
    {
      "status": 1,
      "name": "identifiersRenaming"
    }
  ],
  "areSubscribersOrdered": false,
  "languageSpecifications": {
    "es8": true,
    "es7": false,
    "es6": true,
    "es5": true
  },
  "applicationTypes": {
      "html5GameApp": false,
      "javascriptNativeApp": false,
      "hybridMobileApp": true,
      "serverApp": false,
      "desktopApp": false,
      "webBrowserApp": true
  },
  "useRecommendedOrder": true,
  "tolerateMinification": true,
  "useProfilingData": false
}

After downloading Jscrambler configuration file for the application you want to protect, you should:

GitHub secrets

  • And, place the jscrambler.json file on your application's root folder.

You are all set! Let's move on to configuring a Jscrambler job with GitHub CI.

Workflow Configuration

Consider the case of a workflow that, on a certain event, compiles/bundles a project and generates a set of JavaScript files in a dist folder. To integrate with Jscrambler, you could add the following jobs:

jobs:
  build:
    runs-on: ubuntu-latest
    name: Test Protection
    environment: production
    steps:
      - uses: actions/checkout@v3
      # < your build process here >
      - name: Protect with Jscrambler
        id: jscrambler
        uses: jscrambler/code-integrity-actions/protect@v6
        with:
          application-id: ${{ secrets.JSCRAMBLER_APPLICATION_ID }}
          secret-key: ${{ secrets.JSCRAMBLER_SECRET_KEY }}
          access-key: ${{ secrets.JSCRAMBLER_ACCESS_KEY }}
          jscrambler-config-path: jscrambler.json
          files-src: |
            dist/*
            dist/**/*
          files-dest: dist-obfuscated/
      - name: Upload protected code as a GitHub artifact
        uses: actions/upload-artifact@v3
        with:
          name: protected-source-code
          path: dist-obfuscated/
          retention-days: 1

Explanation

In this scenario:

  • Jscrambler reads the relevant credentials from your secrets (environment production)
  • Obtains most configuration parameters from a configuration JSON (jscrambler.json)
  • Protects the files inside the dist folder (and, recursively, files in folders inside dist)
  • Generates the obfuscated code in a folder named dist-obfuscated, which are uploaded as a GitHub artifact

Other features

The Jscrambler action also supports other use cases, such as:

  • Source map generation — through the source-maps-output-path. These source maps can then be exported as an artifact
  • Output symbol table generation — through the symbol-table-output-path. These symbol tables can then be exported as an artifact

Limitations

The Jscrambler action is designed to protect previously generated JS source code. However, for some frameworks (e.g. React Native), it is necessary to incorporate Jscrambler protection into the build system through custom plugins. In these scenarios, the Jscrambler Action should not be used. Instead, Jscrambler should be configured to run alongside the rest of the build system. Read the documentation about integrating Jscrambler with your chosen build system for more information.

Resources