Mixeway architecture

Integration with security scanners or any security tools can be painful. Sometime execution of particular scanner looks like

  • 1 x POST to configure scan (which return ID)
  • N x PUT to change settings set headers, scope (using ID from before)
  • 1 x GET to start scan (using ID from before, and returning scan ID)
  • N x GET to check scan state ( using scanID)
  • 1 x GET results ( using scanID, and returning array of vulnerability ID)
  • N x GET vulnerabilities

If You would like to add multiple scanners into single pipeline just by implementing manual the logic any DevOps engineer would be agnist (in the end she/he would have to maintain it).

Mixeway make it all easier. There are multiple of scanning plugins introduced:

which covers area of:

  • SAST – source code security analysis
  • OpenSource – scanning of vulnerabilities from external dependencies
  • DAST – dynamic application security testing
  • Network scan – enumerating services on opened port and verification of CVE on these

There are multiple places where scanning should be done. The first suite which consists of SAST + OpenSource scan can be done right after code is being pushed to the repository. After a successful merge, and application built step. An image scan should be performed..

Then DAST scans should be started. It cannot be executed in the same step as SAST because DAST scans need an environment where the application is running.

cd {project}
curl https://raw.githubusercontent.com/Mixeway/MixewayHub/master/scripts/CIScripts/mixeway-ci > mixeway-ci
chmod +x mixeway-ci
mixeway-ci --appname=projectName \
    --groupname=groupName \
    --mixewayurl=http://mixeway.io \
    --mixewayapikey=123 \
    --mixewayprojectid=1 \
    --skipsast \

    --appname - Subject application name
    --groupname - Fortify SCA build name
    --mixewayurl - URL for Mixeway API
    --mixewayapikey - API key generated on Mixeway to authenticate call
    --mixewayprojectid - ID of project on Mixeway
    --skipsast - setup when You dont want run SAST test
    --skipopensource - setup when You dont want run OpenSource test

Read more in Mixeway documentation at https://mixeway.github.io