mix mob.security_scan (mob_dev v0.3.37)

Copy Markdown View Source

Audits the project for known vulnerabilities and unsafe code across every surface a Mob app actually ships:

  • Hex dependency CVEs (mix_audit, osv-scanner over mix.lock)
  • Android Gradle dependency CVEs (osv-scanner)
  • iOS Swift Package dependency CVEs (osv-scanner)
  • Bundled-runtime CVEs — OpenSSL/SQLite/OTP/Elixir baked into Mob's pre-built OTP tarballs (manifest + fingerprint verification + OpenSSL/SQLite/Erlef advisory feeds)
  • C source static analysis (semgrep, flawfinder)
  • Kotlin static analysis (detekt)
  • Swift static analysis (xcodebuild analyze)

Layers run sequentially. A missing external scanner is a soft warning, not a failure — the layer reports tool missing and the rest of the scan continues.

Usage

mix mob.security_scan                       # full scan, pretty terminal output
mix mob.security_scan --json                # machine-readable JSON to stdout
mix mob.security_scan --skip hex,gradle     # skip named layers
mix mob.security_scan --strict              # exit 1 if any high+ finding
mix mob.security_scan --write-report PATH   # also write a markdown report

External tools

Recommended one-time install on macOS:

brew install osv-scanner semgrep flawfinder detekt

Each layer prints which tool produced its findings so the report is fully sourced.

Why "security_scan" not "audit"

mix mob.audit_otp already exists and does something else — it reports which OTP libs your bundled app doesn't use so they can be stripped to shrink the binary. That's a binary-size audit. This task is the security counterpart, deliberately named differently.