Mixeway is an OpenSource software that is meant to simplify the process of security assurance of projects which are implemented using CICD procedures. Mixawey is not another vulnerability scanning software - it is security orchestration tool.
Detailed documentation can be found here
With number of plugins for Vulnerability Scanners :
With all this available, Mixeway provides functionalities to:
- Automatic service discovery (IaaS Plugin for assets and network scans for services)
- Automatic Vulnerability Scan Configuration (Based on most recent configuration) - hands-free!
- Automatic and on-demand Vulnerability scan execution (based on policy and executed via a REST API call)
- One Vulnerability Database for all type of sources - SAST, DAST, OpenSource and Infrastructure vulnerabilities in one place
- Customizable Security Quality Gateway - a reliable piece of information for CICD to decide if a job should pass or not.
- REST API enables integration with already used Vulnerability Management systems used within the organization.
Elements of a system:
- Backend - Spring Boot REST API
- Frontend - Angular 8 application
- DB - postgres database
- Vault - password store
- MixewayHub - parent project which contain docker-compose and one click instalation
- Docker-compose
Mixeway has to be able to reuse given passwords and api keys in order to use them with Vulnerability Scanning interactions.
Vault integration is optional but it is strongly recommended to be included - otherwise password for vulnerability scanners will be stored in plaintext.
There are 2 requirements for Mixeway to be successfully deployed using prepared docker-compose.
- minimal environments file to be properly configured:
TRUSTPASS=changeit
KEYALIAS=localhost
P12PASS=changeit
PROFILE=prod
- Recomended (with vault integration) environments file to be properly configured:
VAULT_HOST=127.0.0.1
VAULT_PORT=8200
VAULT_SCHEME=http
VAULT_APP_NAME=mixeway
VAULT_TOKEN=ffffffff-ffff-ffff-ffff-fffffffffff
KEYALIAS=localhost
TRUSTPASS=changeit
P12PASS=changeit
PROFILE=prod
Where TRUSTPASS is password for CACERT file (java keystore containing trusted root certificates), KEYALIAS alias for key stored within PKCS12 file and P12PASS - password for PKCS12 file containing both certificate and private key.
- Certificates are in the proper place. There should be
pki
directory in the folder where docker-compose.yml is located. It is important that thepki
directory will contain files:ca.pem
which contains trusted root certificates (in pem format for nginx)cert.crt
which contains public key in pem formatprivate.key
which contains private key in pem formatcertificate.p12
PKCS12 file of cert.crt and private.keytrust.jks
which could be cacerts of JVM
There is setup
script prepared for Unix
machines which generate certificates and prepare environments
Usage:
git clone https://github.com/Mixeway/MixewayHub
/bin/sh startup.sh
docker-compose pull
docker-compose up
You can either use setup
script or prepare environment on Your own using the guide above.
Mixeway will be available at https://__Your_IP_goes_here
Mixeway has prepared automated script which is easy to implement in any CICD pipeline which can run bash scripts. Requirements:
- installed jq, curl
- For using OpenSource (At this moment only DependencyTrack available ) scan possibility to run CycloneDX plugin which is dependant on project language - more details here https://cyclonedx.org
cd {project}
curl https://raw.githubusercontent.com/Mixeway/MixewayHub/master/scripts/CIScripts/mixeway-ci > mixeway-ci
chmod +x mixeway-ci
mixeway-ci --appname=projectName \
--groupname=groupName \
--mixewayurl=http://mixeway.io \
--mixewayapikey=123 \
--mixewayprojectid=1 \
--skipsast \
--skipopensource
Required:
--appname - Subject application name
--groupname - Fortify SCA build name
--mixewayurl - URL for Mixeway API
--mixewayapikey - API key generated on Mixeway to authenticate call
--mixewayprojectid - ID of project on Mixeway
Optional:
--skipsast - setup when You dont want run SAST test
--skipopensource - setup when You dont want run OpenSource test
Please note that enabling both --skipsast
and --skipopensource
will only verify state of security.
Timeout for script is 5min. If timeout is exceeded script return success.