Security findings from Mixeway Flow, right inside your IDE.
This IntelliJ plugin connects to a running Mixeway Flow instance and brings your security scan results directly into the IDE — so you never have to leave your editor to review, navigate, and act on vulnerabilities.
| Feature | Description |
|---|---|
| Auto-detect repository | Reads your .git remote and automatically links to the matching CodeRepo in Flow |
| Browse findings | View SAST, SCA, IaC, and secret-leak findings in a filterable, sortable table |
| Navigate to code | Double-click any finding to jump to the exact file and line in the editor |
| Filter & sort | Filter by source (SAST/SCA/IaC/Secrets) and status (New/Existing/Removed/Suppressed); sorted by severity |
| Trigger scans | Start a new security scan from the IDE with one click |
| Suppress findings | Mark false positives or accepted risks directly — no context-switching |
| Finding details | View full description, recommendation, and comments for each vulnerability |
| Self-signed TLS | Works with Flow instances behind self-signed certificates |
From disk (development build):
Settings → Plugins → ⚙ → Install Plugin from Disk → select the
.zipfrombuild/distributions/
Settings → Tools → Mixeway Flow
| Field | Value |
|---|---|
| Flow Server URL | https://your-flow-instance:8443 |
| API Key | Your personal API key from Flow |
| Accept self-signed TLS | ✅ (for local / dev setups) |
Click Test Connection to verify.
View → Tool Windows → Mixeway Flow
The plugin will automatically detect your git remote, find the matching repository in Flow, and load all findings.
- Sort: Findings are sorted by severity (Critical → High → Medium → Low → Info)
- Filter by Source: Use the dropdown to show only SAST, SCA, IaC, or Secrets findings
- Filter by Status: Toggle checkboxes to show/hide New, Existing, Removed, or Suppressed findings
- Navigate: Double-click a row or press
Enterto open the file at the vulnerable line - Summary strip: The colored bar above the table shows counts per severity at a glance
Right-click a finding → Suppress → choose a reason:
- False Positive
- Accepted Risk
- Won't Fix
- Not an Issue
Or select a finding and use the Suppress / Reactivate buttons in the detail panel below.
Click the ▶ Run Security Scan button in the toolbar to start a scan on the linked repository.
git clone https://github.com/Mixeway/Flow-Intellij-Plugin.git
cd Flow-Intellij-Plugin
# Build the plugin
./gradlew build
# Run in a sandboxed IDE instance
./gradlew runIdeRequirements: JDK 17+
The built plugin ZIP is at build/distributions/flow-intellij-plugin-<version>.zip.
src/main/java/io/mixeway/flow/intellij/
├── settings/ Configuration UI (URL + API Key)
├── api/ REST client + DTOs for Flow API
├── git/ Git remote URL detection & normalization
├── service/ Project-level service (link repo, fetch findings)
├── toolwindow/ Tool window UI (table, filters, detail panel)
└── actions/ Toolbar actions (refresh, scan, suppress)
| Operation | Endpoint |
|---|---|
| List repositories | GET /api/v1/coderepo |
| Get findings | GET /api/v1/coderepo/{id}/findings |
| Finding details | GET /api/v1/coderepo/{id}/finding/{findingId} |
| Trigger scan | GET /api/v1/coderepo/{id}/run |
| Suppress finding | GET /api/v1/coderepo/{id}/supress/{findingId}/reason/{reason} |
| Reactivate finding | GET /api/v1/coderepo/{id}/reactivate/{findingId} |
All requests authenticate via X-API-KEY header.
| IntelliJ Platform | Supported |
|---|---|
| 2024.1+ (241) | ✅ |
| 2024.2+ (242) | ✅ |
| 2024.3+ (243) | ✅ |
| 2025.1+ (251) | ✅ |
| 2025.2+ (252) | ✅ |
Works with IntelliJ IDEA Community and Ultimate, as well as other JetBrains IDEs based on the IntelliJ Platform.
Contributions are welcome! Please open an issue or submit a PR.
- Fork the repository
- Create a feature branch (
git checkout -b feature/my-feature) - Commit your changes
- Push and open a Pull Request
- Discord: Join us
- Issues: GitHub Issues
- Mixeway Flow: github.com/Mixeway/Flow
MIT License — see LICENSE for details.