< All Topics
Print

Built in scan engines

This document provides an overview of the built-in, configured, and optimized vulnerability scanners available in Mixeway Flow. It covers four key types of security scanning: Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IaC) scanning, and secret leak detection. Each section details the purpose of the scanner, its functionality, and the requirements for triggering scans, ensuring that developers can effectively integrate these tools into their software development lifecycle.

SAST – Engine: Bearer (https://github.com/Bearer/bearer)

SAST (Static Application Security Testing) is a security technique that analyzes source code, bytecode, or binary code for vulnerabilities without executing the program. It identifies security flaws at the code level early in the development process, allowing developers to fix issues before the code is deployed. SAST scans are essential for detecting common vulnerabilities like SQL injection, cross-site scripting (XSS), and insecure coding practices.

A SAST scan is performed on the source code created and written by the team’s developers, looking for any places that might be a source for problems related to any type of injections or other threats.

Scan Requirements

  • None. The scan is performed for every change without any conditions.

SCA – Engine: SBOM & OWASP Dependency Track (https://github.com/DependencyTrack/dependency-track)

SCA (Software Composition Analysis) is a security practice that identifies and manages vulnerabilities in open-source and third-party components within a software project. By analyzing the software’s dependencies, SCA tools detect known vulnerabilities, license compliance issues, and outdated libraries. This helps ensure that the software remains secure and compliant with industry standards, especially when using external code that may introduce risks into the project.

Integrating SCA scanning into your software development lifecycle helps you properly manage dependencies you introduce to the codebase.

Scan Requirements

  • In order to trigger the SCA engine, there must be an sbom.json file located in the root of the repository. More information in next chapter

IaC – Engine: KICS (https://github.com/Checkmarx/kics)

IaC (Infrastructure as Code) vulnerability scanning is a security practice that involves analyzing IaC templates and configurations for security risks before infrastructure is provisioned. By scanning these templates, such as Terraform or CloudFormation scripts, IaC vulnerability scanning tools detect misconfigurations, insecure settings, and potential vulnerabilities that could expose infrastructure to attacks. This proactive approach helps secure cloud environments and infrastructure by identifying issues early in the development process.

This type of scan verifies Dockerfiles, Terraform, Kubernetes deployments, and much more configurations that can be deployed, looking for misconfigurations or bad practices to be alerted.

Scan Requirements

  • None. The scan is performed for every change without any conditions.

Secret Leaks – Engine: Gitleaks (https://github.com/gitleaks/gitleaks)

Secret leaks refer to the unintentional exposure of sensitive information, such as API keys, passwords, tokens, and other credentials, in source code, configuration files, or logs. Detecting secret leaks is crucial, as exposed secrets can be exploited by attackers to gain unauthorized access to systems, services, or data. Secret scanning tools help identify and prevent the inclusion of sensitive information in public repositories or shared code, reducing the risk of security breaches.

Most severe incidents in the Public Cloud (but not only) occurred due to misconfigurations, hardcoded keys, or keys accidentally pushed to the git repository. This kind of testing helps you detect such problems and gives you the timeframe needed to properly rotate leaked secrets.

Scan Requirements

  • None. The scan is performed for every change without any conditions.

By leveraging these integrated vulnerability scanners, Mixeway Flow empowers developers to enhance the security posture of their applications and infrastructure, ensuring that potential vulnerabilities are identified and addressed early in the development lifecycle.

Table of Contents