# `Safe.Shell`
[🔗](https://github.com/erlang-solutions/safe-mix-plugin/blob/main/lib/mix/tasks/safe/shell.ex#L1)

Executes the SAFE binary via `System.cmd/3`.

Arguments are passed as a list — no shell string is constructed — so there
is no risk of command injection from user-controlled data such as the
project path or config JSON.

# `run_safe`

Runs the SAFE binary with the given subcommand, streaming output line-by-line
to stdout.

`config_spec` is either `{:config_path, path}` (pass `--config-path <file>`)
or `{:config_json, json}` (pass `--config-json <inline_json>`).

Returns `:ok` on exit code 0, or `{:error, {subcommand_atom, exit_code}}`
for any non-zero exit. Exit code 2 indicates vulnerabilities were found and
is treated as a distinct (non-fatal) result by the caller.

---

*Consult [api-reference.md](api-reference.md) for complete listing*