Mixeway is an OpenSource software that is meant to simplify the process of security assurance of projects which are implemented using CICD procedures. Mixawey is not another vulnerability scanning software - it is security orchestration tool.

Detailed documentation can be found here

With number of plugins for Vulnerability Scanners :

With all this available, Mixeway provides functionalities to:

• Automatic service discovery (IaaS Plugin for assets and network scans for services)
• Automatic Vulnerability Scan Configuration (Based on most recent configuration) - hands-free!
• Automatic and on-demand Vulnerability scan execution (based on policy and executed via a REST API call)
• One Vulnerability Database for all type of sources - SAST, DAST, OpenSource and Infrastructure vulnerabilities in one place
• Customizable Security Quality Gateway - a reliable piece of information for CICD to decide if a job should pass or not.
• REST API enables integration with already used Vulnerability Management systems used within the organization.

Elements of a system:

• Backend - Spring Boot REST API
• Frontend - Angular 8 application
• DB - postgres database
• Vault - password store
• MixewayHub - parent project which contain docker-compose and one click instalation

• CERT Orange Poland

• Docker-compose

Mixeway has to be able to reuse given passwords and api keys in order to use them with Vulnerability Scanning interactions.

Vault integration is optional but it is strongly recommended to be included - otherwise password for vulnerability scanners will be stored in plaintext.

There are 2 requirements for Mixeway to be successfully deployed using prepared docker-compose.

• minimal environments file to be properly configured:

TRUSTPASS=changeit
KEYALIAS=localhost
P12PASS=changeit
PROFILE=prod

• Recomended (with vault integration) environments file to be properly configured:

VAULT_HOST=127.0.0.1
VAULT_PORT=8200
VAULT_SCHEME=http
VAULT_APP_NAME=mixeway
VAULT_TOKEN=ffffffff-ffff-ffff-ffff-fffffffffff
KEYALIAS=localhost
TRUSTPASS=changeit
P12PASS=changeit
PROFILE=prod

Where TRUSTPASS is password for CACERT file (java keystore containing trusted root certificates), KEYALIAS alias for key stored within PKCS12 file and P12PASS - password for PKCS12 file containing both certificate and private key.

• Certificates are in the proper place. There should be pki directory in the folder where docker-compose.yml is located. It is important that the pki directory will contain files:
  • ca.pem which contains trusted root certificates (in pem format for nginx)
  • cert.crt which contains public key in pem format
  • private.key which contains private key in pem format
  • certificate.p12 PKCS12 file of cert.crt and private.key
  • trust.jks which could be cacerts of JVM

There is setup script prepared for Unix machines which generate certificates and prepare environments

Usage:

git clone https://github.com/Mixeway/MixewayHub
/bin/sh startup.sh
docker-compose pull
docker-compose up

You can either use setup script or prepare environment on Your own using the guide above.

Mixeway will be available at https://__Your_IP_goes_here

Mixeway has prepared automated script which is easy to implement in any CICD pipeline which can run bash scripts. Requirements:

1. installed jq, curl
2. For using OpenSource (At this moment only DependencyTrack available ) scan possibility to run CycloneDX plugin which is dependant on project language - more details here https://cyclonedx.org

cd {project}
curl https://raw.githubusercontent.com/Mixeway/MixewayHub/master/scripts/CIScripts/mixeway-ci > mixeway-ci
chmod +x mixeway-ci

mixeway-ci --appname=projectName \
    --groupname=groupName \
    --mixewayurl=http://mixeway.io \
    --mixewayapikey=123 \
    --mixewayprojectid=1 \
    --skipsast \
    --skipopensource

Required:
    --appname - Subject application name
    --groupname - Fortify SCA build name
    --mixewayurl - URL for Mixeway API
    --mixewayapikey - API key generated on Mixeway to authenticate call
    --mixewayprojectid - ID of project on Mixeway
Optional:
    --skipsast - setup when You dont want run SAST test
    --skipopensource - setup when You dont want run OpenSource test

Please note that enabling both --skipsast and --skipopensource will only verify state of security.

Timeout for script is 5min. If timeout is exceeded script return success.