Skip to content
🕵️‍♀️ MixAudit provides a mix deps.audit task to scan a project Mix dependencies for known Elixir security vulnerabilities
Elixir Makefile
Branch: master
Clone or download

Latest commit

Latest commit 923f1d8 Mar 21, 2020


Type Name Latest commit message Commit time
Failed to load latest commit information.
.github/workflows Add missing whitespace Mar 21, 2020
lib Only support hex dependencies Mar 9, 2020
test Fix typo Mar 9, 2020
.credo.exs Add Credo Mar 4, 2020
.formatter.exs Add Credo Mar 4, 2020
.gitignore Initial commit Mar 3, 2020 Add changelog Mar 9, 2020 Initial commit Mar 3, 2020
Makefile Add support for Elixir 1.8 and build matrix Mar 16, 2020 Add clearer escript instructions Mar 6, 2020
mix.exs v0.1.3 Mar 16, 2020
mix.lock Add Credo Mar 4, 2020

MixAudit provides a mix deps.audit task to scan Mix dependencies for security vulnerabilities.
It draw its inspiration from tools like npm audit and bundler-audit.


Project dependency

Add mix_audit to the deps function in your project’s mix.exs file:

defp deps do
    {:mix_audit, "~> 0.1", only: [:dev, :test], runtime: false}

Then run mix do deps.get, deps.compile inside your project’s directory.

Local escript

If you do not wish to include mix_audit in your project dependencies, you can install it as global escript:

$ mix escript.install hex mix_audit
* creating …/.mix/escripts/mix_audit

The only difference is that instead of using the mix deps.audit task, you will have to use the created executable.


To generate a security report, you can use the deps.audit Mix task:

$ mix deps.audit


Option Type Default Description
--path String Current directory The root path of the project to audit
--format String "human" The format of the report to generate ("json" or "human")
--ignore-advisory-ids String "" Comma-separated list of advisory IDs to ignore
--ignore-package-names String "" Comma-separated list of package names to ignore


How does it work?

MixAudit builds two lists when it’s executed in a project:

  1. A list of security advisories fetched from the community-maintained elixir-security-advisories repository
  2. A list of Mix dependencies from the various mix.lock files in the project

Then, it loops through each project dependency and tries to find security advisories that apply to it (through its package name) and that match its version specification (through the advisory patched and unaffected version policies).

If one is found, a vulnerability (the combination of a security advisory and a project dependency) is then added to the report.

The task will exit with a 0 status only if the report passes (ie. it reports no vulnerabilities). Otherwise, it will exit with a 1 status.


MixAudit is © 2020 Mirego and may be freely distributed under the New BSD license. See the file.

The detective hat logo is based on this lovely icon by Vectors Point, from The Noun Project. Used under a Creative Commons BY 3.0 license.

About Mirego

Mirego is a team of passionate people who believe that work is a place where you can innovate and have fun. We’re a team of talented people who imagine and build beautiful Web and mobile applications. We come together to share ideas and change the world.

We also love open-source software and we try to give back to the community as much as we can.

You can’t perform that action at this time.