vs GitHub Advanced Security

Elixir Support
Dependency Security (SCA)
Static Code Analysis (SAST)
Open Source License Compliance
Developer Security Guidance
Runtime Exploit Guard (RASP)
Runtime Asset Management
Bot Defense
Hex Native Install is better than GitHub Advanced Security for defending Elixir applications. GitHub as a company has shown interest in Elixir, adding native support in the web interface and including Elixir in their advisories database. I was personally surprised to learn that GitHub Advanced Security/Dependabot does not support alerting on vulnerable Elixir dependencies, which is a major gap. Even if GitHub does add true Elixir support, is a fundamentally different product. GitHub only has source code access, so the security feature set stops there, while provides end to end security coverage, from code to runtime deployment.

1. Dependency Security (SCA)

Does your Elixir application have a vulnerability introduced via a dependency? Dependabot cannot detect this because dependency graph does not support Elixir. Here is an example project with a critical RCE introduced via the outdated Paginator library:

Dependabot can pick up on the fact that paginator is outdated, but it will not detect the security issue: is able to detect the security issue, both in the PR (via the GitHub App), and as a security metric in the web interface:

Dependabot is most useful as a reminder to regularly install updates for a project, although in practice these alerts are often ignored. will only alert on true security issues.

2. Static Code Analysis (SAST)

CodeQL, the custom code scanner developed by GitHub, does not support Elixir. For GitHub Advanced Security, you can upload Sobelow results to the GitHub interface.

This is the extent of Elixir support you get for static code analysis.

With, you can:

  1. Rank Sobelow findings by criticality.
  2. Have the GitHub App suggest security fixes.
  3. Get a detailed description of how to triage and fix each finding.
  4. Receive a weekly email summary to ensure scans are running correctly. can also be used with GitHub Advanced Security, adding context to individual findings:

3. Additional Features

In summary, GitHub has limited support for static code analysis (SAST) and dependency security (SCA) when it comes to Elixir. It completely lacks support for:

  1. Open source license compliance
  2. Developer security guidance (without
  3. Runtime exploit guard (RASP)
  4. Runtime dependency inventory
  5. Bot defense

All features which supports today. While GitHub is a good product, the incomplete Elixir support in their security offering is a blemish that is hard to ignore.

4. Features

Open Source License Compliance - Does your company ban specific open source licenses? When was the last time you checked your Elixir projects for violations? automates this work.

Developer Security Guidance - Sobelow just alerted your developer to a critical security problem, but the project does not explain how to verify and fix the issue. provides detailed instructions on how to do this, educating your team and saving them time.

Runtime Exploit Guard (RASP) - developed the first RASP product for Elixir, with the ability to detect and block remote code execution (RCE) attacks.

Runtime Asset Management - When a new exploit becomes public, the top priority of every security team suddenly becomes tracking down all the locations where the relevant apps are running and checking library versions. is able to get this data at runtime, for the most accurate asset inventory possible.

Bot Defense - Bot Defense runs as part of your Elixir code. This means it cannot be bypassed (like Cloudflare) and does not require any 3rd party JS, so it will work on web applications and API endpoints.

Hex Native Install - You do not have to install Docker, Java, npm, or any additional software to use with your Elixir application. Just as Python has pip and Ruby has RubyGems, Elixir has Hex. Download the open source agent and configure the API key to get started -

Michael Lubas

March 12, 2024

Ready to get started?

Schedule Call