Integration with security scanners or any security tools can be painful. Sometime execution of particular scanner looks like
- 1 x POST to configure scan (which return ID)
- N x PUT to change settings set headers, scope (using
ID from before) - 1 x GET to start scan (using
ID from before, and returning scan ID) - N x GET to check scan state ( using
scanID ) - 1 x GET results ( using
scanID , and returningarray of vulnerability ID) - N x GET vulnerabilities
If You would like to add multiple scanners into single pipeline just by implementing manual the logic any DevOps engineer would be agnist (in the end she/he would have to maintain it).
Mixeway make it all easier. There are multiple of scanning plugins introduced:
which covers area of:
- SAST – source code security analysis
- OpenSource – scanning of vulnerabilities from external dependencies
- DAST – dynamic application security testing
- Network scan – enumerating services on opened port and verification of CVE on these
There are multiple places where scanning should be done. The first suite which consists of
Then DAST scans should be started. It cannot be executed in the same step as SAST because DAST scans need an environment where the application is running.
cd {project}
curl https://raw.githubusercontent.com/Mixeway/MixewayHub/master/scripts/CIScripts/mixeway-ci > mixeway-ci
chmod +x mixeway-ci
mixeway-ci --appname=projectName \
--groupname=groupName \
--mixewayurl=http://mixeway.io \
--mixewayapikey=123 \
--mixewayprojectid=1 \
--skipsast \
--skipopensource
Required:
--appname - Subject application name
--groupname - Fortify SCA build name
--mixewayurl - URL for Mixeway API
--mixewayapikey - API key generated on Mixeway to authenticate call
--mixewayprojectid - ID of project on Mixeway
Optional:
--skipsast - setup when You dont want run SAST test
--skipopensource - setup when You dont want run OpenSource testRead more in Mixeway documentation at https://mixeway.github.io