This documentation describes the security model, practices, and controls for the Hex package ecosystem.
Hex.pm is a package registry for the Erlang and Elixir ecosystem. It enables publishing, discovery, and consumption of packages used in production systems. This documentation covers:
- What we protect and what can go wrong (threat model)
- How we build and release software securely (SDLC)
- How we operate and respond to incidents (operations)
- How we ensure package integrity (supply chain)
Analysis of assets, actors, threats, and mitigations.
- Overview - Scope and methodology
- Architecture - System overview and trust boundaries
- Assets - What we protect
- Actors - Legitimate users and adversaries
- Threats - Key threats to the ecosystem
- Mitigations - How threats are addressed
- Assumptions - What we assume and don't guarantee
How we build and maintain secure software, organized into three pillars.
- Overview - SDLC structure and registers
- Secure Build - Artifact provenance, dependencies, toolchain
- Secure Process - Code review, QA, security scanning, vulnerability handling
- Secure Runtime - Deployment, secrets, monitoring
- Risk Register - Accepted risks and mitigations
- Exception Register - Approved policy deviations
How we operate and respond to security events.
- Incident Response - Triage, response, notification
- Access Control - Internal access principles
How we ensure package integrity from publish to install.
- Overview - Supply chain security approach
- Provenance - Build origin and attestations
- Signing - Registry signing and checksums
- Verification - Client-side verification
- Client Flows - Authentication and verification flows
- Endpoints - API and repository endpoints