Security Documentation
May 10, 2026 ยท View on GitHub
This documentation describes the security model, practices, and controls for the Hex package ecosystem.
Overview
Hex.pm is a package registry for the Erlang and Elixir ecosystem. It enables publishing, discovery, and consumption of packages used in production systems. This documentation covers:
- What we protect and what can go wrong (threat model)
- How we build and release software securely (SDLC)
- How we operate and respond to incidents (operations)
- How we ensure package integrity (supply chain)
Documentation Structure
Threat Model
Analysis of assets, actors, threats, and mitigations.
- Overview - Scope and methodology
- Architecture - System overview and trust boundaries
- Assets - What we protect
- Actors - Legitimate users and adversaries
- Threats - Key threats to the ecosystem
- Mitigations - How threats are addressed
- Assumptions - What we assume and don't guarantee
Secure Development Lifecycle
How we build and maintain secure software, organized into three pillars.
- Overview - SDLC structure and registers
- Secure Build - Artifact provenance, dependencies, toolchain
- Secure Process - Code review, QA, security scanning, vulnerability handling
- Secure Runtime - Deployment, secrets, monitoring
- Risk Register - Accepted risks and mitigations
- Exception Register - Approved policy deviations
Operations
How we operate and respond to security events.
- Incident Response - Triage, response, notification
- Access Control - Internal access principles
Supply Chain Security
How we ensure package integrity from publish to install.
- Overview - Supply chain security approach
- Provenance - Build origin and attestations
- Signing - Registry signing and checksums
- Verification - Client-side verification
Related Documentation
- Client Flows - Authentication and verification flows
- Endpoints - API and repository endpoints