Run vulnerability scan from within CICD pipeline
It doesn’t matter which vulnerability scanners You are using. With Mixeway integration running scans from CICD pipeline looks exactly the same no matter of scanning software.
Security Quality Gateway
Would You like implement security policy which should not allow CI to build application if it contains vulnerabilities? Would You like to make sure that image which is being deployed went through full security testing phase? It is all possible using Mixeway.
Although Vulnerability Management is not main focus of Mixeway, we still serve some of the functionalities where You can browse through findings, see dashboard statistics or create JIRA tickets just by clicking on an issue.
Is Your organization using number of Vulnerability Scanning solutions but have problem how to fit them into DevOps pipelines? Are DevOps engineers complaining about complexity of enabling security tools into CICD pipelines? Are You tired of configuring scans for the same assets over and over again? If at least one answer was positive You have to take closer look on Mixeway.
Mixeway is a software made by App Security Experts designed to be used by App Security Experts. DevOps tooling ecosystem now can use some more sophisticated tools to integrate CICD with vulnerability scanners. Advanced integrations with both commercial and OpenSource solutions make Mixeway possible to be fit in almost each team.
Vulnerability scanner integrations
Using any vulnerability scanner REST API in order to create flow to configure, run scan and get results can be really painful (often it require more then 5 HTTP requests to be done).
With Mixeway working as orchestrator integrations are being done in a flexible way. It doesn’t matter what works in Your backend integration between CI and Mixeway always look the same.
Number of integrations is continuously increasing. Scope of each scanner plugin covers:
– Scan configuration – one of the activities which take the most of a time. It all can be automated so this step is obligatory for scanner plugin.
– Scan execution – This operation is not so complicated as configuration but the triggering part is. Before build, after build, before merg or after merge. It is all customizable.
– Load Vulnerabilities – which are being found has to be fixed. You have several options to report them: share them via API, create auto JIRA tickets or more
Security Quality Gateway
Testing is the key to continuous deployment. Each set of tests in the end should be respected in a way of quality gateway.
One of a key element of Mixeway is Security Quality Gateway. This component verify if scan results meets given security policy so CICD pipeline can make a decision about building or running an application based on security testing result.
By default security quality gateway returns:
– OK – if all tests were executed and no critical vulnerabilities has been found
– NOT OK – if one or more parts of a test is missing (for example deployment is being done without performing a test) or results for an application contains critical vulnerabilities
Thanks to number of integrations Mixeway can store vulnerabilities of :
– Source code
– Web applications
– Network services
State of each vulnerability is being tracked.
Reporting is available only as email with trend of vulnerabilities withn particular project or via JIRA plugin to put vulnerability to bug tracker.
Want to be part of a team? Start to contribute now!
Checkout the articles our team has prepared. They cover both DevSec, AppSec and DevSecOps areas