finds.dev← search

// the find

nccgroup/sobelow

★ 1,788 · Elixir · Apache-2.0 · updated Aug 2024

Security-focused static analysis for the Phoenix Framework

Sobelow is a static analysis tool for Phoenix/Elixir apps, maintained by NCC Group, that scans your AST for common web vulnerabilities: XSS, SQL injection, directory traversal, unsafe deserialization, insecure config, and more. It's the de facto standard for this niche — if you ship a Phoenix app and aren't running it, you're missing the obvious low-hanging fruit.

The confidence-tier system (red/yellow/green) is genuinely useful — it distinguishes 'this is definitely wrong' from 'this looks suspicious but needs manual review', which keeps noise manageable. The false-positive workflow is well thought out: inline `# sobelow_skip` comments keep suppressions in code review history rather than hidden in a config file. JSON output and `--exit` with a confidence threshold make CI integration straightforward without fighting the tool. The module structure maps cleanly to vulnerability categories, so ignoring entire classes (e.g. `--ignore XSS.Raw`) is surgical rather than all-or-nothing.

Last commit was August 2024 and the pace has slowed noticeably — Phoenix itself has moved a fair bit since then, and there's no indication whether LiveView-specific attack surfaces (client events, assigns leaking sensitive data) are covered at all. The AST-based approach means it misses data flow across module boundaries; a tainted value that passes through two or three function calls before hitting `Repo.query` will not be flagged. No SARIF output format is documented in the README despite a `test/sarif_test.exs` existing, suggesting the feature exists but isn't polished or official. Umbrella app support is a hack — you add a mix alias that shells out to each child — rather than proper multi-project analysis with shared context.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →