Skip to content

Add ignore_advisories and ignore_retirements configs#1198

Merged
ericmj merged 6 commits into
mainfrom
audit-ignore-advisories
Jul 2, 2026
Merged

Add ignore_advisories and ignore_retirements configs#1198
ericmj merged 6 commits into
mainfrom
audit-ignore-advisories

Conversation

@ericmj

@ericmj ericmj commented Jul 1, 2026

Copy link
Copy Markdown
Member

Since Hex 2.5.0, mix hex.audit fails on security advisories with no way to acknowledge ones that do not affect the project (#1194). This adds two configs to do that:

def project() do
  [
    # ...
    hex: [
      ignore_advisories: ["CVE-2026-32686"],
      ignore_retirements: [:decimal, phoenix: "1.0.0"]
    ]
  ]
end
  • Both keys follow the standard config chain like policy and cooldown: HEX_IGNORE_ADVISORIES/HEX_IGNORE_RETIREMENTS environment variables (comma-separated; retirement entries as NAME or NAME@VERSION) → mix.exs :hex block → global config.
  • An advisory is ignored when the configured ID matches its primary ID or any of its aliases, case-insensitively, so a GHSA advisory can be ignored by its CVE ID. Matching runs on raw registry advisories before display grouping, which means ignoring a shared CVE also suppresses the aliased EEF/GHSA entries.
  • A retirement is ignored by package name, optionally pinned to a single version so upgrading past the retired release un-ignores it automatically.
  • mix hex.audit lists ignored findings in separate Ignored retired:/Ignored advisories: sections that never affect the exit code, and warns about ignore entries that no longer match anything in the lock so stale entries get cleaned up.
  • mix deps.get and mix deps.update stop tagging ignored findings (VULNERABLE!/RETIRED!) and stop printing the trailing warnings when everything is ignored.
  • Filtering happens only at the audit/display call sites. Registry lookups that feed enforcement — the cooldown bypass for locked versions carrying advisories, and the policy filter — are unaffected.

Closes #1194

@ericmj ericmj marked this pull request as ready for review July 2, 2026 00:14
@ericmj ericmj force-pushed the audit-ignore-advisories branch from 65b031e to 9888991 Compare July 2, 2026 00:16
@ericmj ericmj merged commit 594ac3d into main Jul 2, 2026
31 checks passed
@ericmj ericmj deleted the audit-ignore-advisories branch July 2, 2026 00:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

How to ignore advisories in mix hex.audit?

1 participant