This document describes secure development process practices for Hex registry infrastructure.
Code review requirements are enforced through GitHub rulesets. See the repository rulesets for the authoritative configuration.
| Repository | Status |
|---|
| hexpm/hexpm | Active |
| hexpm/hex | Active |
| hexpm/hex_core | Active |
| hexpm/hex_solver | Active |
| hexpm/hexdocs | Active |
| hexpm/preview | Active |
| hexpm/diff | Active |
| hexpm/specifications | Active |
| hexpm/bob | None |
| hexpm/hexdocs-search | None |
| Rule | Configuration |
|---|
| CodeQL | All security alerts, all general alerts |
| Zizmor | All security alerts, all general alerts |
| Code quality | All severity levels enforced |
| Bypass | No bypass permissions configured |
Reviewers evaluate:
- Authentication and authorization boundaries
- Input validation at trust boundaries
- Output encoding to prevent injection
- Cryptographic usage
- Secrets handling
| Test Type | Coverage | Notes |
|---|
| Unit tests | All projects | Required for changes |
| Integration tests | Hex client against hexpm | Matrix across Hex versions |
| Property-based tests | hex_core | proper framework |
Projects are tested against:
The Hex client is integration tested against the hexpm registry.
| Check | Enforcement |
|---|
| All CI checks pass | Required |
| CodeQL security scan | Required |
| Zizmor workflow scan | Required |
| Code review | Required |
| Scanner | Trigger | Scope |
|---|
| CodeQL | Push/PR to main, weekly | GitHub Actions |
| Zizmor | Push/PR to main, weekly | Workflow security |
We collaborate with the Erlang Ecosystem Foundation CNA for BEAM ecosystem CVEs.
| Severity | Response |
|---|
| Critical / High | Out-of-band release |
| Medium / Low | Normal update cycle |
| Boundary | Validation |
|---|
| API endpoints | Parameter validation |
| Package uploads | Format and size validation |
| User input | Sanitization before storage |
| Practice | Implementation |
|---|
| Parameterized queries | Ecto (no raw SQL) |
| Connection pooling | Postgrex with TLS |
| Schema validation | Ecto changesets |
| Feature | Implementation |
|---|
| Password hashing | bcrypt |
| TOTP 2FA | pot library |
| OAuth2 | ueberauth + GitHub |
| Session management | Phoenix sessions |