View Source Getting started with

This tutorial is a step-by-step guide to setup Application Secure with the open source vulnerable Elixir application Potion Shop. It will walk through creating an account, installing the agent, and getting results flowing to the backend.

If you have questions about Paraxial, need enterprise support, or simply want to provide feedback, email


1 Create your account

Go to in your web browser. Create a new account. You will receive a confirmation email, use it to confirm your account and sign in. You have no sites at this point.


2. Create your site

Create a new site, but pick a different domain besides local_potion_shop. Note that the domain is really treated as a comment by, you can put any value you want here, it does not have to be a valid URL and no HTTP requests are ever sent to it.




3. Install the agent

Open mix.exs. If you see the line:

  {:sobelow, "~> 0.13", only: [:dev, :test], runtime: false}

Delete it. The Paraxial agent will install Sobelow as a dependency, deleting this line avoids a conflict.

Add the following to your mix.exs file:

{:paraxial, "~> 2.7.6"}

Then run mix deps.get


4. Configure the dev environment

Open config/dev.exs and add:

config :paraxial,
  paraxial_api_key: System.get_env("PARAXIAL_API_KEY"),
  paraxial_url: ""

Set the PARAXIAL_API_KEY environment variable to keep this secret out of source code.

The API key's value is found under "Site Settings", it looks like a UUID. To keep it out of source code for this tutorial, you can do:

export PARAXIAL_API_KEY=your_value_here


5. Install the Paraxial agent


mix deps.get - Install the agent

mix paraxial.scan - Runs Code Scans and License Scan

mix phx.server - Runs app audit. If you are not in a Phoenix application, you can also do iex -S mix

When running these commands watch out for errors and warnings. Common issues:

  1. Did you put the configuration in the config/dev.exs file?
  2. Is PARAXIAL_API_KEY set correctly? Sometimes there is a trailing newline and that breaks things.
  3. Is paraxial_url set to "", with quotes?
  4. What mix environment is your application running in? Is it dev?
  5. If the API key is being read, but the scan upload fails, is it the correct value?

Customer support is available to help, email

If everything worked you should see the following screen:


See Code Scans for more information.