Mixeway / Flow

Mixeway Flow — DevSecOps Swiss Army Knife 🔐⚙️ > **Mixeway Flow** integrates security into your SDLC from day one. It aggregates results from built-in scanners, hooks seamlessly into Git (webhooks), and presents everything in a single, actionable dashboard. > > **Under Development:** we are building an AI/LLM-powered verification engine that combines detected findings with extended vulnerability intelligence and then **verifies, in your own source code, whether a specific vulnerability is truly present and exploitable**. The goal is to deliver **100% accurate, properly prioritized information** for engineers and security teams. This feature will be available in a **future release** (see the details below). Available demonstration: https://flow.mixeway.io --- Table of Contents • Why Mixeway Flow? • How it Works • What’s Scanned • SAST (Bearer) • SCA (SBOM + OWASP Dependency-Track) • IaC (KICS) • Secret Leaks (gitleaks) • GitLab Repository Scanner (Mixeway ruleset) • AI/LLM Verification — Under Development • Quick Start • Initial Setup • Screenshots • Documentation • Contributing • Community • License --- Why Mixeway Flow? • **One dashboard to rule them all** — SAST, SCA, IaC, and secret scanning in one place. • **Zero CI friction** — Git webhooks trigger scans automatically; no complex pipeline wiring needed. • **Focus on what matters** — Suppress/ignore by context to cut noise and prioritize real risk. • **Fast time-to-value** — Docker Compose install; be up and reviewing findings in minutes. • **Built for the next step** — Designed to plug in an AI/LLM verification layer that validates exploitability directly in your codebase. --- How it Works • **Register a Git repository** (URL + access token). An initial scan runs on the latest commit of the default branch. • **Configure a webhook** (GitHub/GitLab). Each push or PR/MR triggers a scan; events are queued if needed. • **Review results** in the unified dashboard and act. --- What’s Scanned Each scan runs transparently from a developer/CI/CD perspective. You get consistent results without extra ceremony. SAST (Bearer) Static analysis of your team’s source code for injection flaws, insecure patterns, and more. **Requirements:** none — runs for every change. Engine: https://github.com/Bearer/bearer SCA (SBOM + OWASP Dependency-Track) Find known vulnerabilities, licensing issues, and outdated libraries via SBOM ingestion. **Requirements:** place in the repo root to enable SCA scans. Engine: https://github.com/DependencyTrack/dependency-track IaC (KICS) Scan Terraform, Kubernetes manifests, Dockerfiles and other templates for misconfigurations. **Requirements:** none — runs for every change. Engine: https://github.com/Checkmarx/kics Detect accidentally committed credentials (API keys, tokens, passwords) before they become incidents. **Requirements:** none — runs for every change. Engine: https://github.com/gitleaks/gitleaks Secret Leaks (gitleaks) Detect accidentally committed credentials (API keys, tokens, passwords) before they become incidents. **Requirements:** none — runs for every change. Engine: https://github.com/gitleaks/gitleaks GitLab Repository Scanner (Mixeway ruleset) First-class checks for **15+ GitLab repository/security misconfigurations** using our curated ruleset. **Examples of detections:** • No or weak **branch protection** on default branches (force-push allowed, missing approvals). • **Unknown or untrusted runner** registered to the project/group. • Secrets such as **passwords or tokens stored in GitLab CI/CD variables** without masking/protection. • Insecure **merge request** settings (missing code review/approvals). • Public exposure of private projects via **inherited visibility** or incorrect sharing. • Missing or lax **Protected Tags** / **Protected Branches** configuration. • **Pipeline triggers** and webhooks with overbroad permissions. • Artifact exposure / retention misconfigurations. **How it works:** Mixeway queries repository and project metadata, CI settings, and protection rules to evaluate policy compliance and highlight risky gaps with **actionable remediation tips**. **Requirements:** repository access with permissions to read project settings and CI/CD configuration (token or PAT). --- AI/LLM Verification — Under Development We are building a complementary **AI-assisted verification layer** that operates on top of your scans to **decide if a vulnerability is actually exploitable in your codebase**. This project combines three pillars: • **Detected Findings** Ingests and normalizes SAST, SCA (SBOM), IaC, and secret-scan outputs from Mixeway Flow. • **Extended Vulnerability Intelligence** Enriches findings with structured threat intelligence (e.g., CVE metadata, CWE, CVSS, KEV/“known exploited”, EPSS-like probabilities, exploit-exists signals, advisories, references). • **Code-Aware AI/LLM Reasoning** Uses large language models and domain-specific rules to analyze **your repository’s source code** and verify whether the conditions required for exploitation are present. • Produces a **constraint checklist** for each vulnerability (e.g., reachable sink, untrusted data flow, missing input validation, vulnerable library version & call-site usage). • Maps verification to **concrete code locations** (files, functions, lines) and **execution paths**. • **Reduces false positives** and upgrades critical issues that meet exploitability conditions. • Outputs **actionable remediation** steps aligned to the exact code context. **Outcome & Goal** • **Target:** deliver **100% accurate and properly prioritized** results for developers and AppSec. • **Status:** under active development; will be released as a **future version** of Mixeway Flow. • **Early Access:** if you’re interested in testing this capability, open an issue or ping us on Discord. > _Note:_ “100% accurate” reflects the **design goal** for precision and prioritization in verified results; real-world performance will be transpare…