maennchen
GitHub Dependency Submission for Mix
Hey everyone!
If your Elixir project lives on GitHub (public or private), there’s a new GitHub Action that might be worth adding to your CI setup:
erlef/mix-dependency-submission
This Action extracts your dependencies from your mix.exs / mix.lock and submits them to GitHub’s Dependency Submission API. That unlocks several useful GitHub features:
Dependabot alerts and security updates — including transitive deps
Full dependency graph visibility — even without lockfiles
Dependency Review — see what changed in PRs
Helps with auditing and compliance for third-party packages
Quick Example
Add this to your GitHub Actions workflow:
on:
push:
branches:
- "main"
jobs:
report_mix_deps:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: erlef/mix-dependency-submission@v1
OS Support
It works out-of-the-box on GitHub-hosted runners for:
- Linux (x64, ARM64)
- macOS (x64, ARM64)
- Windows (x64)
Check the README for full compatibility details.
The Action was built as part of the Erlang Ecosystem Foundation’s ongoing efforts to support the BEAM community’s tooling and security story. Feedback and adoption are super appreciated — especially if you’re managing multiple projects or teams.
Let me know if you try it out or run into any issues!
Most Liked Responses
maennchen
I’ve already reached out to GitHub about the possibility to integrate this into GitHub itself and run for all Elixir projects. The project is engineered in a way that should also make it simple for them to integrate. (Small self-contained Burrito based binary)
For now we should try to get it implemented in many repositories so that GitHub will see the interest of the community.
On Gleam / Rebar3: We’re discussing the possibility to build this for rebar3 as well in the EEF. There’s however a few uncertainties that we have to clear up first. I did not yet look into gleam.
jjcarstens
@maennchen This is great and such perfect timing for us. We’ve been ramping up lots of security practices across all our repos and this helps get us one step closer to looking as shiny as the other natively support languages! ![]()
maennchen
Yes, mix.exs files are arbitrary Elixir Code. mix.lock always has the same format, but still is elixir code.
Depending on the SCM (Git / Path, Hex, …), there will be an entry in the lockfile (optional) and it contains different content per SCM. For example, Hex saves the transitive dependencies, Git does not.
To get all the info out, I had to have mix running. (Mix.in_project)








