Mixeway Flow - VS Code Extension
VS Code extension for Mixeway Flow — a security scanning platform that detects vulnerabilities in your code repositories (SAST, SCA, IaC, Secrets).
Features
- Automatic Repository Detection — reads
.git remote URL and matches it with a repository registered in Flow
- Security Findings Sidebar — displays vulnerabilities grouped by severity (Critical / High / Medium / Low) in a dedicated activity bar panel
- File Navigation — click on a finding to navigate directly to the affected file and line
- Editor Diagnostics — findings appear as warnings/errors in the VS Code Problems panel and as inline squiggles
- Run Scans — trigger a security scan from VS Code (default branch or a specific branch)
- Suppress / Reactivate — manage finding lifecycle directly from the IDE (right-click context menu)
- Finding Details — view full vulnerability details including description and recommendations in a webview panel
Setup
1. Install
Install from .vsix or from the VS Code Marketplace (once published):
code --install-extension mixeway-flow-0.1.0.vsix
Open VS Code Settings (Cmd+, / Ctrl+,) and search for Mixeway Flow:
| Setting |
Description |
mixewayFlow.url |
URL of your Mixeway Flow instance (e.g. https://flow.example.com) |
mixewayFlow.apiKey |
API Key for authentication (generate from your Flow user profile) |
Or add to settings.json:
{
"mixewayFlow.url": "https://flow.example.com",
"mixewayFlow.apiKey": "your-api-key-here"
}
3. Open a Git Repository
Open a workspace that contains a git repository registered in Mixeway Flow. The extension will:
- Read the git remote URL (
origin)
- Search for a matching Code Repository in Flow
- Load and display security findings
Usage
The Mixeway Flow shield icon in the activity bar opens the Security Findings panel. Findings are grouped by severity with icons indicating the source:
$(code) — SAST (Static Application Security Testing)$(package) — SCA (Software Composition Analysis)$(server) — IaC (Infrastructure as Code)$(key) — Secrets Detection
Commands (Command Palette)
| Command |
Description |
Mixeway Flow: Refresh Findings |
Reload findings from Flow |
Mixeway Flow: Run Security Scan |
Start a scan (default or specific branch) |
Mixeway Flow: Configure Connection |
Open extension settings |
Mixeway Flow: Suppress Finding |
Suppress a finding with a reason |
Mixeway Flow: Reactivate Finding |
Reactivate a suppressed finding |
Mixeway Flow: Show Finding Details |
Open a detailed view of a finding |
Right-click on a finding in the sidebar to:
- Suppress — mark as false positive, accepted risk, not applicable, or won't fix
- Reactivate — revert a suppressed finding
- Show Details — open full vulnerability information
Development
# Install dependencies
npm install
# Watch mode (auto-rebuild on changes)
npm run watch
# Build for production
npm run build
# Package as .vsix
npm run package
Project Structure
src/
├── extension.ts # Entry point, commands, lifecycle
├── api/
│ └── flowClient.ts # HTTP client for Flow REST API
├── models/
│ └── types.ts # TypeScript interfaces and enums
├── providers/
│ └── findingsTreeProvider.ts # Tree view data provider
└── utils/
└── git.ts # Git remote URL detection
Flow API Endpoints Used
| Endpoint |
Purpose |
GET /api/v1/coderepo |
List repositories |
GET /api/v1/coderepo/{id}/findings |
Get findings for a repository |
GET /api/v1/coderepo/{id}/finding/{fid} |
Get finding details |
GET /api/v1/coderepo/{id}/run |
Trigger scan (default branch) |
POST /api/v1/coderepo/{id}/run/branch |
Trigger scan (specific branch) |
GET /api/v1/coderepo/{id}/supress/{fid}/reason/{reason} |
Suppress a finding |
POST /api/v1/coderepo/{id}/supress |
Bulk suppress findings |
GET /api/v1/coderepo/{id}/reactivate/{fid} |
Reactivate a finding |
GET /api/v1/coderepo/{id}/git-branches |
List remote branches |
License
MIT
