GitHub Dependency Submission for Mix

maennchen · April 22, 2025, 7:13pm

Hey everyone!

If your Elixir project lives on GitHub (public or private), there’s a new GitHub Action that might be worth adding to your CI setup:
erlef/mix-dependency-submission

This Action extracts your dependencies from your mix.exs / mix.lock and submits them to GitHub’s Dependency Submission API. That unlocks several useful GitHub features:

Dependabot alerts and security updates — including transitive deps
Full dependency graph visibility — even without lockfiles
Dependency Review — see what changed in PRs
Helps with auditing and compliance for third-party packages

Quick Example

Add this to your GitHub Actions workflow:

on:
  push:
    branches:
      - "main"

jobs:
  report_mix_deps:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: erlef/mix-dependency-submission@v1

OS Support

It works out-of-the-box on GitHub-hosted runners for:

Linux (x64, ARM64)
macOS (x64, ARM64)
Windows (x64)

Check the README for full compatibility details.

The Action was built as part of the Erlang Ecosystem Foundation’s ongoing efforts to support the BEAM community’s tooling and security story. Feedback and adoption are super appreciated — especially if you’re managing multiple projects or teams.

Let me know if you try it out or run into any issues!

Hermanverschooten · April 24, 2025, 9:01am

Could you maybe give some more info on how to use the result of this action?
I see the dependency tree output for example, but it is truncated.

maennchen · April 24, 2025, 10:15am

The interesting part is not in the action output, but rather in the GitHub Dependency Graph.

You can see that by going to the project / Insights / Dependency Graph.

As an example for mix-dependency-submission itself: Dependencies · erlef/mix-dependency-submission · Search for ecosystem:other · GitHub

Here you can find the GitHub docs for the topic: About the dependency graph - GitHub Docs

jhosteny · April 24, 2025, 5:54pm

@maennchen this is awesome!

jjcarstens · April 25, 2025, 1:35am

@maennchen This is great and such perfect timing for us. We’ve been ramping up lots of security practices across all our repos and this helps get us one step closer to looking as shiny as the other natively support languages!

maennchen · April 25, 2025, 9:24am

Thanks everyone, I’m happy that this is received that well

Let me know if you have any issues, I’m happy to assist.

Hermanverschooten · April 25, 2025, 9:41am

It will be a default in all my apps in the future.

lud · April 25, 2025, 2:07pm

Thank you

BartOtten · April 25, 2025, 5:00pm

This is nice! Thank you so much.

Question: When a project is meant to augment Phoenix, it will have Phoenix as dependency. Does than mean it will receive dependabots alerts for transitive deps too?

I see I can not set or set install-deps to false, but then transitive deps (from other deps) are not checked too.

maennchen · April 25, 2025, 5:24pm

Generally you will receive warnings for all your dependencies including transitive ones.

Depending on the project there will be no mix.lock file (like most libraries) checked in. Also some dependencies like git based ones do not record detailed information about their own deps in the mix.lock.
In those cases, the tool doesn’t know an exact picture about the dependency tree.

With install-deps you will fetch everything and therefore will have a perfect representation about all that.

jswanner · April 25, 2025, 11:17pm

This is very cool!

I haven’t seen it explicitly specified anywhere, but if you use this GitHub Action to populate your dependency graph and you want to use that for Dependabot then you want to use package-ecosystem: "github-actions" in your dependabot.yml

maennchen · April 26, 2025, 1:45pm

I believe you’re slightly wrong with this. The github-actions ecosystem does updates on your GitHub Action workflows and has nothing to do with this action.

If youd like Dependabot to update your mix dependencies, you will have to specify the mix ecosystem. You can see an example of this here: mix-dependency-submission/.github/dependabot.yml at main · erlef/mix-dependency-submission · GitHub

However both of those already work without this project. What doesn’t work without this action, are Dependabot Security Updates for mix dependencies.

madclaws · April 26, 2025, 3:04pm

@maennchen This paraxial blog says that dependabot actually doesn’t alert vulnerability and suggest MixAudit library for this.

Disclaimer, i read this article few days ago, so just pointing it. I don’t have hands-on experience on dependabot.

maennchen · April 26, 2025, 3:36pm

This is exactly what this action solves. Without it, Dependabot won’t know about vulnerabilities. With it, it does.

madclaws · April 26, 2025, 3:38pm

Thanks for the clarification. Will check it

jswanner · April 26, 2025, 5:59pm

Thanks for correcting me, not my area of expertise

D4no0 · April 26, 2025, 8:03pm

Is this system github specific? Is there perhaps an alternative that does not depend on github?

maennchen · April 26, 2025, 8:32pm

Yes, this is specific to GitHub.

The generic alternative is using SBoMs. Then you can combine this with various other tools like:

linusdm · May 7, 2025, 9:41am

I’ve added the mix-dependency-submission action to an existing project. It adds the mix dependencies to the dependency graph, as expected. Very nice!

Is the set of ecosystems that you can filter in GitHub restricted? I can’t seem to filter only the mix dependencies. They only appear when selecting the “other” option (or when no filter is selected).

maennchen · May 7, 2025, 6:50pm

That’s apparently by design, see the GitHub announcement: Dependency graph supports all purl-identified package ecosystems - GitHub Changelog