It is said that If You want to seriously care about the security of Source Code You have to invest a lot in a proper toolset. Commercial SAST scanners are really comfortable to use – they support most popular programming languages, reporting is easy and integrations with for example bug trackers are already there. Just the opposite of using OpenSource solutions for this purpose.
But… does it has to be like this?
We have prepared a docker image that contains the most popular OpenSource vulnerability scanners (v0.9.3):
- Dependency scans (Dependency Track – https://github.com/DependencyTrack/dependency-track)
- Java (spotbugs – https://github.com/spotbugs/spotbugs)
- Python (bandit – https://github.com/PyCQA/bandit)
- PHP – (Progpilot – https://github.com/designsecurity/progpilot)
As well as Spring-Boot application which is taking care of a logic of performing a scan which contains two phases: dependency scan and source code scan.
Mixeway Scanner can work in two modes:
- Standalone – with minimum configuration – just simply run docker with mounting directory where the code is and that’s all. Result of a scan will be printed to console
- REST API – more configuration but API is listening for requests all the time.
Possibility to export scan results to Mixeway is also there.
Running SAST scans in CICD pipeline never been so easy! No commercial software required, just run mixeway scanner docker at test stage of Your application build and get results within 3-4minutes.
How it works? check it out:
More information about configuration and installation can be found on
Don’t forget to give a “Star” on GitHub or DockerHub if You think this project is interesting.
More feedback we get better solutions we prepare!
IT Security Expert, DevSecOps enthusiast, Java developer in spare time, Mixeway lead architect and PhD candidate on Warsaw University of Technology in field of Machine learning techniques in Cybersecurity.