We’ve been using the community-maintained dependabot/elixir-security-advisories repository as a source of data for MixAudit (our dependency vulnerability scanning tool for Elixir projects) for a few years now and it was working great.
But since GitHub announced its Advisory Database would support Erlang and Elixir packages, we’ve been eager to integrate it to MixAudit as a more official and reliable source of data. Moreover, dependabot/elixir-security-advisories was archived last month and is no longer maintained.
However, we recently realized that it wouldn’t be possible to query the GitHub Advisory Database via its API directly because the
securityVulnerabilities query requires authentication. MixAudit needs to be able to run anywhere by anyone (eg. locally or via continuous integration)—requiring a GitHub personal access token seems like a major inconvenience for our users.
This is why we got the idea of building our own publicly accessible source of Elixir security advisories, on top of GitHub Advisory Database: mirego/elixir-security-advisories! 🎉
Every few hours, an automatic GitHub Actions workflow fetches all Elixir security advisories from GitHub’s API and dumps them all into the repository. This allows MixAudit (and any other similar tools) to fetch them easily and anonymously.