Newest version of Mixeway introduced new cool features of which probably the most important is Mixeway Scanner which aggregate most popular OpenSource SAST scanners in one docker image and provide unified way to perform the test.
Another big announcement is that the Online version of Mixeway is released and is possible to access: https://hub.mixeway.io – at this stage, this version has some limitations but now You have a possibility to choose wether You want to use on-premise version (docker-compose) or online (hub.mixeway.io)
In this part of tutorial I would like to show You how easy it is to introduce step to your GitHub Action workflow or Gitlab-CI script to enable complete SAST scan (including dependency verification) to Your workflow.
Before You proceed there is a couple of things that has to be set up first.
- Get API Key for the Sonatype OSS index, it requires registration but the whole process is free. This step is required to use the full power of OWASP Dependency Track which is included in MixewayScanner. Go to https://ossindex.sonatype.org click register, fill the form and confirm Your email, click the button at top-right, and Your API key is here:
2. Get API Key for Mixeway. Visit https://hub.mixeway.io, at this moment registration is possible only with GitHub SSO. Click profile name and choose profile and click on generate new API key
Preparation is done now the main part.
For GitHub integration
First step is to prepare secrets. Open Your repository, then go Settings -> Secrets and add variables:
Now we are set to go. To enable GitHub actions we have to create .github/workflow directory inside of our root directory. Create file under .github/workflow/mixeway.yml with content of:
name: Mixeway Scanner SAST
on: push
jobs:
mixeway-scan:
name: SAST testing
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: Prepare variables
id: vars
shell: bash
run: |
echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
echo "::set-output name=sha_short::$(git rev-parse HEAD)"
- name: Prepare Mixeway docker image
run: |
docker pull mixeway/scanner:latest
- name: Run Scan
run: |
docker run -e MODE=STANDALONE -e OSS_USERNAME=${{ secrets.oss_username }} -e OSS_KEY=${{ secrets.oss_key }} -e COMMIT_ID=${{ steps.vars.outputs.sha_short }} -e BRANCH=${{ steps.vars.outputs.branch }} -v $PWD:/opt/sources mixeway/scanner:latest
This workflow is set to be triggered on every push of code, it get variables like current branch, commit sha and project name and run docker container of MixewayScanner.
For GitLab-CI integration
Similarly as GitHub we have to put our variables which should never be stored in cleartext in our repository:
To Enable gitlab-ci in Your project You have to create file .gitlab-ci.yml with content:
image: gitlab/dind
stages:
- run
MixewayRun:
stage: run
script:
- docker run -e MODE=STANDALONE -e OSS_USERNAME=$OSS_USERNAME -e OSS_KEY=$OSS_KEY -e COMMIT_ID=$CI_COMMIT_SHA -e BRANCH=$CI_COMMIT_REF_NAME -e MIXEWAY_PROJECT_NAME=$CI_PROJECT_NAME -e MIXEWAY_KEY=$MIXEWAY_KEY -v $(pwd):/opt/sources mixeway/scanner:latest
Online Mixeway Hub Integration
Mixeway scanner can upload scan results into online mixeway (following instruction put above), into the on-premise instance (just set MIXEWAY_URL to point into Your installation) or just print results on console (don’t provide any MIXEWAY_ variable to docker). All options of Mixeway Scanner are available at GitHub (https://github.com/mixeway/mixewayscanner), or DockerHub (https://hub.docker.com/repository/docker/mixeway/scanner).
If You decide to upload results to Mixeway Online they are available at hub.mixeway.io after login click on the project name CICD Project which is automatically created project:
Feedback
It is really important for us to hear back from You. More feedback we get more adjustments can be created. The preferred way of contacting is Twitter (Mixeway1) or GitHub Issues.
IT Security Expert, DevSecOps enthusiast, Java developer in spare time, Mixeway lead architect and PhD candidate on Warsaw University of Technology in field of Machine learning techniques in Cybersecurity.
Comments are closed