Security Vendors and Elixir Support

Michael Lubas, 2024-02-28

Many security vendors claim to support Elixir, yet when setup time comes the results are often disappointing. The chart above lists several common security tools and requirements for securing Elixir code, mapping features to the relevant vendors. Below are notes about how each vendor was assessed. Author contact: michael at this domain.

  1. SAST - Supported via Sobelow
  2. SCA - Supported
  3. Open Source License Compliance - Supported
  4. Developer Security Guidance - Created and open sourced by
  5. RASP - Created and open sourced by
  6. Runtime Asset Management - Supported
  7. Bot Defense - Supported
  8. Hex Native Install - Supported


To GitHub’s credit, they have been strong supporters of Elixir, adding native support in the web interface and including Elixir in their advisories database.

  1. SAST - Supported via Sobelow upload
  2. SCA - Dependabot does support Elixir, but it's not perfect. For example, Elixir is not supported in dependency graph.


  1. SAST - Supported via Sobelow, but requires a special wrapper with Go
  2. SCA - No


  1. SAST - No
  2. SCA - Supported
  3. License Compliance - No


  1. SAST - No
  2. SCA - Supported
  3. License Compliance - Probably since they have it for SCA, I did not buy a license but it seems like they do.


  1. SAST - Supported
  2. SCA - No
  3. Developer Guidance - There are Elixir specific articles, but the quality is not good and some examples are wrong. For example, the binary_to_term article fails to mention non_executable_binary_to_term. The example given is not secure.


Cloudflare has a bot defense offering. Many customers also use Cloudflare, there is no technical conflict. See the vs Cloudflare article for more details.

reCaptcha can be used with reCaptcha, there is no technical conflict. See the vs reCaptcha article for more details. stops data breaches by securing your Elixir and Phoenix apps. Detect and fix critical security issues today.

Subscribe to stay up to date on new posts.