SAFE - Security Analysis For Erlang

View Source

Security Audit For Erlang and Elixir

A rebar3 plugin that wires SAFE — Erlang/Elixir security scanner from Erlang Solutions — directly into your build, so you can run a security check with rebar3 safe analyse and get results in your terminal.

The plugin takes care of everything: downloads the right version of SAFE for your machine (with SHA256 verification of course), inspects your project structure to build a config, and then hands off to SAFE for the actual analysis.

Features

  • A rebar3 safe command with fingerprint, analyse, download, version, and help subcommands.
  • Automatic binary download and SHA256 checksum verification.
  • Project inspection that handles plain apps and umbrella projects.
  • Fully offline after the first download — SAFE runs locally and does not phone home with your source.

Installation

Add the plugin to your project's rebar.config:

{plugins, [
  {rebar_safe, {git, "https://github.com/Erlang-Solutions/rebar_safe.git", {branch, "main"}}}
]}.

The first time you invoke rebar3 safe <task> the plugin will fetch the SAFE binary into _build/safe/ and cache it there.

Usage

There are two phases. First, fingerprint your project — this generates a unique, anonymous fingerprint that we (Erlang Solutions) use to issue a license. Your code never leaves your machine; the fingerprint contains only structural metadata about your apps and build paths.

rebar3 safe fingerprint

SAFE is free for open-source projects. If you maintain one, please reach out at safe@erlang-solutions.com and we'll sort out a license.

Once you have a license and it's exported into your environment (see the SAFE docs for the variable name and format), run the analysis:

rebar3 safe analyse

The analysis exits non-zero if vulnerabilities are found, so it integrates cleanly with common CI providers.

Other tasks

rebar3 safe download    # Just fetch the binary, don't run anything
rebar3 safe version     # Print plugin and SAFE binary versions
rebar3 safe help        # Show the full task list

Set DEBUG=1 to get verbose output about paths, version resolution, and the exact command being passed to SAFE — useful when something isn't behaving and you want to see what the plugin thinks it's doing.

Development

rebar3 compile           # Build the plugin
rebar3 eunit             # Unit tests
rebar3 dialyzer          # Type analysis
rebar3 fmt --check       # Formatting

python3 scripts/integration_test.py -v   # End-to-end tests against fixtures

The integration tests symlink the local plugin into the fixtures/ projects via _checkouts, run the real rebar3 safe commands, and assert against the output. They need a network connection on first run to fetch the SAFE binary; after that they work offline.

Requirements

  • Erlang/OTP: 25 or later (CI tests 25, 26, 27, 28)
  • rebar3: 3.18 or later (CI uses 3.24)
  • OS: Linux or macOS, x86_64

Security

The plugin verifies SHA256 checksums on every binary download and uses TLS with the certifi CA bundle for all network operations.

License

Apache 2.0 — see LICENSE.