Scheduled-run helper for the security scan. Designed to be invoked by cron, GitHub Actions, or any other recurring trigger.
Each run does four things:
- Runs the full
mix mob.security_scanagainst the project. - Overwrites
SECURITY_SCAN.md— a current-state snapshot you can point at to answer "what's the situation right now?". - Prepends a changelog entry to
SECURITY_HISTORY.md— newest at the top — describing what's New / Resolved / Still present since the last logged run. - Updates the JSON state sidecar at
.security_scan/state.jsonso the next run can compute its diff.
Commit all three files. The state file is what makes the changelog meaningful across machines and CI runs — without it every scheduled run reports every finding as "new" and the history loses signal.
Usage
mix mob.security_scan.log # default paths
mix mob.security_scan.log --scan SECURITY.md \
--history HISTORY.md \
--state .scan/state.json
mix mob.security_scan.log --strict # exit 1 if any high+ findingSuggested cron entry
# daily at 06:00 local
0 6 * * * cd /path/to/project && mix mob.security_scan.log >> /tmp/security_scan.log 2>&1Suggested GitHub Actions workflow
name: security-scan
on:
schedule: [{cron: "0 6 * * *"}]
workflow_dispatch:
jobs:
scan:
runs-on: macos-latest
steps:
- uses: actions/checkout@v4
- uses: erlef/setup-beam@v1
with: {elixir-version: "1.19", otp-version: "28"}
- run: brew install osv-scanner semgrep flawfinder detekt swiftlint
- run: mix deps.get
- run: mix mob.security_scan.log
- uses: peter-evans/create-pull-request@v6
with:
title: "security: weekly scan update"
commit-message: "security: weekly scan update"
branch: security-scan-update
add-paths: SECURITY_SCAN.md SECURITY_HISTORY.md .security_scan/state.json