# `MobDev.SecurityScan.Layers.HexDeps`
[🔗](https://github.com/genericjam/mob_dev/blob/master/lib/mob_dev/security_scan/layers/hex_deps.ex#L1)

Audits Hex dependencies in `mix.lock` against two complementary
advisory sources:

  1. [`mix_audit`](https://hexdocs.pm/mix_audit/) — Mirego's curated
     `elixir-security-advisories` repo, cloned into `~/.local/share/`.
     Hex-ecosystem-only, hand-reviewed entries.

  2. [`osv-scanner`](https://google.github.io/osv-scanner/) — Google's
     OSV.dev aggregator, which pulls the Erlef CNA feed alongside many
     other ecosystems. Tends to surface CVE-numbered advisories that
     Mirego hasn't ingested yet.

Running both is deliberate. They miss different things, and the
delta between them is what catches advisories the curated database
hasn't picked up. Findings dedupe on `(advisory_id, package, version)`
with osv-scanner winning on ties (CVSS-derived severity is the more
standard signal).

If `osv-scanner` isn't installed the layer still runs successfully
on `mix_audit` alone — the note records that the second source was
unavailable so the report is honest about coverage.

---

*Consult [api-reference.md](api-reference.md) for complete listing*