| summary | Learn how OutSystems 11 (O11) enables secure API-based source code retrieval for compliance and security integration in regulated industries for your applications and modules. |
|---|---|
| locale | en-us |
| guid | c0f22c7d-ac63-4704-b50f-97a3c697da44 |
| app_type | traditional web apps, mobile apps, reactive web apps |
| platform-version | o11 |
| figma |
Highly regulated industries typically have internal organizational security and compliance policies that they must comply with. Frequently, these procedures include employing specific static code analysis tools to test applications security.
The OutSystems platform provides an API that enables you to download the generated code for the current running apps and modules. The source code package returned by the API contains the following:
- App: Server-side code and the native code if it's a mobile application
- Module: Server-side code
With this capability, you can extend OutSystems's built-in security capabilities by integrating your preferred Static Application Security Testing (SAST) tool. This supports your security and compliance needs, facilitating integration into continuous deployment pipelines, where automated application source code security validations occur across multiple CI/CD stages.
The code retrieved in the API is almost same as the one running on the server. For security and licensing reasons, some files with configurations, secrets and proprietary code are not shared by the API.
The code in the package does not compile and is not executable.
Extension code is not available through the API.
To download the source code of an app or a module, ensure that the environment from where you want to get the source code has:
- Platform Server version 11.28.0 or higher (for applications only, this feature is also available in Platform Server version 11.27.0)
- LifeTime version 11.22.0 or higher
- LifeTime Service Account
- Service Account needs Open and Debug on the environment
To request the source code of an application, follow these steps:
- Get the environment key of the environment where you want to request the application source code (skip this step if you already have this information).
- Get the application key of the application you want to request the source code (skip this step if you already have this information).
- Get the package key of the application source code you want to request.
- Check the status of the application source code packaging you want to request.
- Get the download link of the application source code package.
- Download the application source code package.
This step is optional and call the API only if you don't know the environment key.
This API returns all the environments available on your infrastructure.
Request: GET /lifetimeapi/rest/v2/environments/
Response body:
[
{...},
{
"Key": "849515f2-b4ff-4aca-a9d6-9407bea655f4",
"Name": "Testing",
"OSVersion": "11.18.1.0",
"Order": 2,
"HostName": "hostname.outsystems.com",
"UseHTTPS": true,
"EnvironmentType": "Test",
"NumberOfFrontEnds": 1,
"ApplicationServerType": ".NET",
"ApplicationServer": "IIS",
"DatabaseProvider": "SQLServer",
"IsCloudEnvironment": true,
"IsOffline": false
},
{...}
]
In this request example, the source code of an application is requested from the Testing environment.
Take note of the environment key to use it in the upcoming API calls.
Example of an environment key: 849515f2-b4ff-4aca-a9d6-9407bea655f4
You can skip this step if you already have the application key.
This API returns all the available applications in the infrastructure along with the application key.
Request: GET /lifetimeapi/rest/v2/applications/
Response body:
[
{...},
{
"Key": "c9a7a82e-0eee-4a3d-8e22-2a19c69c766f",
"Name": "EmployeeBackoffice",
"Kind": "WebResponsive",
"Team": "",
"Description": "",
"URLPath": "/EmployeeBackoffice",
"IconHash": "IconHash6a79e71e-c8e5-9e18-115c-cab789517672",
"IconURL": "/LifeTimeSDK/ApplicationIcon.aspx?ApplicationKey=c9a7a82e-0eee-4a3d-8e22-2a19c69c766f",
"IsSystem": false,
"AppStatusInEnvs": []
},
{...}
]
In this request, you request the source code for EmployeeBackoffice application.
Take note of the application key to use it in the upcoming API calls.
Example "EmployeeBackoffice" application key: c9a7a82e-0eee-4a3d-8e22-2a19c69c766f
This API returns the package key for an application on a given environment.
POST /environments/{EnvironmentKey}/applications/{ApplicationKey}/sourcecodeaccess
Replace the {EnvironmentKey} and {ApplicationKey} with values retrieved from Step 1 and Step 2 and make a request:
POST /lifetimeapi/rest/v2/environments/849515f2-b4ff-4aca-a9d6-9407bea655f4/applications/c9a7a82e-0eee-4a3d-8e22-2a19c69c766f/sourcecodeaccess
Response body:
{
"PackageKey": "bc354abb-6691-41ee-9ed3-9454747e2d4d",
"Status": "InProgress",
"Messages": []
}
In this request, you request the source code for EmployeeBackoffice application.
Take note of the package key to use it in the upcoming API calls.
Example package key: bc354abb-6691-41ee-9ed3-9454747e2d4d
Get the status of the application source code package.
GET /environments/{EnvironmentKey}/applications/{ApplicationKey}/sourcecodeaccess/{PackageKey}/status
Replace the {EnvironmentKey}, {ApplicationKey}, and {PackageKey} with values retrieved from Step 1, Step 2, and Step 3 and make a request:
GET /lifetimeapi/rest/v2/environments/849515f2-b4ff-4aca-a9d6-9407bea655f4/applications/c9a7a82e-0eee-4a3d-8e22-2a19c69c766f/sourcecodeaccess/bc354abb-6691-41ee-9ed3-9454747e2d4d/status
Example response body:
{
"PackageKey": "bc354abb-6691-41ee-9ed3-9454747e2d4d",
"Status": "Done",
"Messages": [
{
"Id": "",
"Message": "Source Code Access",
"Detail": "Source code access for application 'TestSourceCode'.",
"HelpRef": 0,
"ExtraInfo": "",
"Type": "Info",
"Submitable": false
},
{
"Id": "",
"Message": "Preparing Source Code",
"Detail": "Preparing module 'TestSourceCode' source code for access.",
"HelpRef": 0,
"ExtraInfo": "",
"Type": "Info",
"Submitable": false
},
{...}
]
}
Get the download link of the application source code package.
GET /environments/{EnvironmentKey}/applications/{ApplicationKey}/sourcecodeaccess/{PackageKey}/download
Replace the {EnvironmentKey}, {ApplicationKey}, and {PackageKey} with values retrieved from Step 1, Step 2, and Step 3 and make the following request:
GET /lifetimeapi/rest/v2/environments/849515f2-b4ff-4aca-a9d6-9407bea655f4/applications/c9a7a82e-0eee-4a3d-8e22-2a19c69c766f/sourcecodeaccess/bc354abb-6691-41ee-9ed3-9454747e2d4d/download
Response body:
{
"url": "https://hostname.outsystems.com/lifetimeapi/rest/v2/downloads/f4ee541b-5791-4997-a56d-360d80c24821",
"expires": "2022-12-21T17:00:00Z"
}
The response contains the link to download the source code package of the application.
Use the URL obtained from Use download link and get the source code package of the application. The download link is a call to a Lifetime API. The authentication token is mandatory for the request. The API method "template" URL used to download the application source code package is:
GET /lifetimeapi/rest/v2/downloads/{DownloadKey}
Replace the {DownloadKey} with the value on the download URL or call the full URL received from the step Use download link.
GET /lifetimeapi/rest/v2/downloads/f4ee541b-5791-4997-a56d-360d80c24821
If you are unable to download the source code of the application, refer to Unable to download the source code of an application article.
To request the source code of a module, follow these steps:
- Get the environment key of the environment where you want to request the module source code (skip this step if you already have this information).
- Get the module key of the module you want to request the source code (skip this step if you already have this information).
- Get the package key of the source code you want to request.
- Check the status of the source code packaging you want to request.
- Get the download link of the source code package.
- Download the source code package.
This step is optional and call the API only if you don't know the environment key.
This API returns all the environments available on your infrastructure.
Request: GET /lifetimeapi/rest/v2/environments/
Response body:
[
{...},
{
"Key": "849515f2-b4ff-4aca-a9d6-9407bea655f4",
"Name": "Testing",
"OSVersion": "11.18.1.0",
"Order": 2,
"HostName": "hostname.outsystems.com",
"UseHTTPS": true,
"EnvironmentType": "Test",
"NumberOfFrontEnds": 1,
"ApplicationServerType": ".NET",
"ApplicationServer": "IIS",
"DatabaseProvider": "SQLServer",
"IsCloudEnvironment": true,
"IsOffline": false
},
{...}
]
In this request example, the source code of a module is requested from the Testing environment.
Take note of the environment key to use it in the upcoming API calls.
Example of an environment key: 849515f2-b4ff-4aca-a9d6-9407bea655f4
You can skip this step if you already have the module key.
This API returns all the available modules in the infrastructure along with the module key.
Request: GET /lifetimeapi/rest/v2/modules/
Response body:
[
{...},
{
"Key": "c9a7a82e-0eee-4a3d-8e22-2a19c69c766f",
"Name": "EmployeeBackoffice",
"Description": "",
"Kind": "eSpace",
"ModuleStatusInEnv": []
},
{...}
]
In this request, you request the source code for EmployeeBackoffice module.
Take note of the module key to use it in the upcoming API calls.
Example "EmployeeBackoffice" module key: c9a7a82e-0eee-4a3d-8e22-2a19c69c766f
This API returns the package key for an module on a given environment.
POST /environments/{EnvironmentKey}/modules/{ModuleKey}/sourcecodeaccess
Replace the {EnvironmentKey} and {ModuleKey} with values retrieved from Step 1 and Step 2 and make a request:
POST /lifetimeapi/rest/v2/environments/849515f2-b4ff-4aca-a9d6-9407bea655f4/modules/c9a7a82e-0eee-4a3d-8e22-2a19c69c766f/sourcecodeaccess
Response body:
{
"PackageKey": "bc354abb-6691-41ee-9ed3-9454747e2d4d",
"Status": "InProgress",
"Messages": []
}
In this request, you request the source code for EmployeeBackoffice module.
Take note of the package key to use it in the upcoming API calls.
Example package key: bc354abb-6691-41ee-9ed3-9454747e2d4d
Get the status of the source code package.
GET /environments/{EnvironmentKey}/modules/{ModuleKey}/sourcecodeaccess/{PackageKey}/status
Replace the {EnvironmentKey}, {ModuleKey}, and {PackageKey} with values retrieved from Step 1, Step 2, and Step 3 and make a request:
GET /lifetimeapi/rest/v2/environments/849515f2-b4ff-4aca-a9d6-9407bea655f4/modules/c9a7a82e-0eee-4a3d-8e22-2a19c69c766f/sourcecodeaccess/bc354abb-6691-41ee-9ed3-9454747e2d4d/status
Example response body:
{
"PackageKey": "bc354abb-6691-41ee-9ed3-9454747e2d4d",
"Status": "Done",
"Messages": [
{
"Id": "",
"Message": "Source Code Access",
"Detail": "Gathering source code of 'EmployeeBackoffice'.",
"HelpRef": 0,
"ExtraInfo": "",
"Type": "Info",
"Submitable": false
},
{...}
]
}
Get the download link of the source code package.
GET /environments/{EnvironmentKey}/modules/{ModuleKey}/sourcecodeaccess/{PackageKey}/download
Replace the {EnvironmentKey}, {ModuleKey}, and {PackageKey} with values retrieved from Step 1, Step 2, and Step 3 and make the following request:
GET /lifetimeapi/rest/v2/environments/849515f2-b4ff-4aca-a9d6-9407bea655f4/modules/c9a7a82e-0eee-4a3d-8e22-2a19c69c766f/sourcecodeaccess/bc354abb-6691-41ee-9ed3-9454747e2d4d/download
Response body:
{
"url": "https://hostname.outsystems.com/lifetimeapi/rest/v2/downloads/f4ee541b-5791-4997-a56d-360d80c24821",
"expires": "2022-12-21T17:00:00Z"
}
The response contains the link to download the source code package of the module.
Use the URL obtained from Use download link and get the source code package of the module. The download link is a call to a Lifetime API. The authentication token is mandatory for the request. The API method "template" URL used to download the source code package is:
GET /lifetimeapi/rest/v2/downloads/{DownloadKey}
Replace the {DownloadKey} with the value on the download URL or call the full URL received from the step Use download link.
GET /lifetimeapi/rest/v2/downloads/f4ee541b-5791-4997-a56d-360d80c24821
If you are unable to download source code, refer to Unable to download the source code article.
When reviewing static code analysis results, you must note that each static code analysis tool can report findings without proper context. These findings must be reviewed to detect false positives. You can consult the experts in OutSystems development to help understand these findings with proper context.
For more information on why certain findings should be considered false positives, refer to Static application security testing.