Secure Process

May 10, 2026 ยท View on GitHub

This document describes secure development process practices for Hex registry infrastructure.

Code Review

Requirements

Code review requirements are enforced through GitHub rulesets. See the repository rulesets for the authoritative configuration.

RepositoryStatus
hexpm/hexpmActive
hexpm/hexActive
hexpm/hex_coreActive
hexpm/hex_solverActive
hexpm/hexdocsActive
hexpm/previewActive
hexpm/diffActive
hexpm/specificationsActive
hexpm/bobNone
hexpm/hexdocs-searchNone

Ruleset Configuration (hexpm)

RuleConfiguration
CodeQLAll security alerts, all general alerts
ZizmorAll security alerts, all general alerts
Code qualityAll severity levels enforced
BypassNo bypass permissions configured

Security Considerations

Reviewers evaluate:

  • Authentication and authorization boundaries
  • Input validation at trust boundaries
  • Output encoding to prevent injection
  • Cryptographic usage
  • Secrets handling

Quality Assurance

Testing

Test TypeCoverageNotes
Unit testsAll projectsRequired for changes
Integration testsHex client against hexpmMatrix across Hex versions
Property-based testshex_coreproper framework

Compatibility Testing

Projects are tested against:

Hex Client Integration

The Hex client is integration tested against the hexpm registry.

CI Gates

CheckEnforcement
All CI checks passRequired
CodeQL security scanRequired
Zizmor workflow scanRequired
Code reviewRequired

Security Scanning

Automated Scanners

ScannerTriggerScope
CodeQLPush/PR to main, weeklyGitHub Actions
ZizmorPush/PR to main, weeklyWorkflow security

Vulnerability Sources

We collaborate with the Erlang Ecosystem Foundation CNA for BEAM ecosystem CVEs.

Vulnerability Response

SeverityResponse
Critical / HighOut-of-band release
Medium / LowNormal update cycle

Vulnerability Handling

Secure Coding Practices

Input Validation

BoundaryValidation
API endpointsParameter validation
Package uploadsFormat and size validation
User inputSanitization before storage

Database Security

PracticeImplementation
Parameterized queriesEcto (no raw SQL)
Connection poolingPostgrex with TLS
Schema validationEcto changesets

Authentication

FeatureImplementation
Password hashingbcrypt
TOTP 2FApot library
OAuth2ueberauth + GitHub
Session managementPhoenix sessions