Newest version of Mixeway introduced new cool features of which probably the most important is Mixeway Scanner which aggregate most popular OpenSource SAST scanners in one docker image and provide unified way to perform the test.

Another big announcement is that the Online version of Mixeway is released and is possible to access: – at this stage, this version has some limitations but now You have a possibility to choose wether You want to use on-premise version (docker-compose) or online (

In this part of tutorial I would like to show You how easy it is to introduce step to your GitHub Action workflow or Gitlab-CI script to enable complete SAST scan (including dependency verification) to Your workflow.

Before You proceed there is a couple of things that has to be set up first.

  1. Get API Key for the Sonatype OSS index, it requires registration but the whole process is free. This step is required to use the full power of OWASP Dependency Track which is included in MixewayScanner. Go to click register, fill the form and confirm Your email, click the button at top-right, and Your API key is here:

2. Get API Key for Mixeway. Visit, at this moment registration is possible only with GitHub SSO. Click profile name and choose profile and click on generate new API key

Preparation is done now the main part.

For GitHub integration

First step is to prepare secrets. Open Your repository, then go Settings -> Secrets and add variables:

Now we are set to go. To enable GitHub actions we have to create .github/workflow directory inside of our root directory. Create file under .github/workflow/mixeway.yml with content of:

name: Mixeway Scanner SAST

on: push

    name: SAST testing
    runs-on: ubuntu-latest
      - uses: actions/[email protected]
      - name: Prepare variables
        id: vars
        shell: bash
        run: |
          echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
          echo "::set-output name=sha_short::$(git rev-parse HEAD)"
      - name: Prepare Mixeway docker image
        run: |
          docker pull mixeway/scanner:latest
      - name: Run Scan
        run: |
          docker run -e MODE=STANDALONE -e OSS_USERNAME=${{ secrets.oss_username }} -e OSS_KEY=${{ secrets.oss_key }} -e COMMIT_ID=${{ steps.vars.outputs.sha_short }} -e BRANCH=${{ steps.vars.outputs.branch }} -v $PWD:/opt/sources mixeway/scanner:latest

This workflow is set to be triggered on every push of code, it get variables like current branch, commit sha and project name and run docker container of MixewayScanner.

For GitLab-CI integration

Similarly as GitHub we have to put our variables which should never be stored in cleartext in our repository:

To Enable gitlab-ci in Your project You have to create file .gitlab-ci.yml with content:

image: gitlab/dind
  - run

  stage: run

Online Mixeway Hub Integration

Mixeway scanner can upload scan results into online mixeway (following instruction put above), into the on-premise instance (just set MIXEWAY_URL to point into Your installation) or just print results on console (don’t provide any MIXEWAY_ variable to docker). All options of Mixeway Scanner are available at GitHub (, or DockerHub (

If You decide to upload results to Mixeway Online they are available at after login click on the project name CICD Project which is automatically created project:


It is really important for us to hear back from You. More feedback we get more adjustments can be created. The preferred way of contacting is Twitter (Mixeway1) or GitHub Issues.


Comments are closed