Security-focused static analysis for the Phoenix Framework.

Source: https://github.com/nccgroup/sobelow
Documentation: https://hexdocs.pm/sobelow
Twitter: @sobelow_scanner



  • Removed
    • Support for minimum Elixir versions 1.5 & 1.6 (POTENTIALLY BREAKING - only applies if you relied on Elixir 1.5 or 1.6, 1.7+ is still supported)
  • Enhancements
    • Fixed all credo warnings
    • Implemented all credo “Code Readability” adjustments
    • Took advantage of some credo refactoring opportunities
    • Added (sub)module documentation that was missing for some vulnerabilities and unified presentation of others
  • Bug fixes
    • Fixed --details / -d not displaying correct information
    • Fixed incompatibility issue with Elixir 1.15
  • Misc
    • Added mix credo --strict to project
    • Improvements to GitHub CI
      • Hex Audit
      • Compiler Warnings as Errors
      • Checks Formatting
    • Added helper mix test.all alias


  • Bug fixes
    • Removed :castore and introduced :verify_none to quiet warning and unblock escript usage, see #133 for more context on why this is necessary


  • Bug fixes
    • Lowered required version of :castore to remove upgrade path issues
    • Reconfigured :verify_peer to actually use CAStore and remove warning


  • Removed
    • Support for minimum Elixir version 1.4 (POTENTIALLY BREAKING - only applies if you relied on Elixir 1.4, 1.5+ is still supported)
  • Enhancements
    • Adds support for HEEx to XSS.Raw
    • Adds --version CLI flag
    • README Improvements
      • Umbrella App usage
      • Clearer installation process
      • Layout changes
    • Updated dependencies
  • Bug fixes
    • Adds to_string() to exit_on
    • Sets SSL opt verify_peer in version check
    • Reworks -v, --verbose printing to not use the now deprecated Macro.to_string/2
  • Misc
    • Allows atom values for threshold in config file
    • Uses SPDX ID for licenses in mixfile
    • Fixed typo


  • Enhancements
    • Simplify --flycheck output to align with expected format


  • Enhancements
    • Sarif output with --out flag
    • --strict flag, which throws compilation errors instead of suppressing them.


The biggest change this version is GitHub action integration. See the action repo for more details.

  • Enhancements
    • Sarif output for GitHub integration
    • --flycheck flag, which reverses output of --compact
  • Bug fixes
    • Non-compiling files now return an empty syntax tree instead of causing Sobelow errors.
    • Command Injection finding description are properly formatted
  • Misc
    • If you use Sobelow as a standalone utility (i.e. not as part of a Phoenix application), you now need to install as an escript with mix escript.install hex sobelow.
    • Custom JSON serialization replaced with Jason.


  • Bug fixes
    • Handle nil config case


  • Misc
    • Update code to clean up deprecation warnings


  • Enhancements
    • Sobelow is now smarter about cross-site websocket hijacking
    • Update URL for CSRF description


  • Bug fixes
    • Fix directory structure issue in umbrella applications
    • Handle function capture edge cases


  • Bug fixes
    • Fix a format error in JSON output encoding


Sobelow now stores --mark-skip-all data in the “.sobelow-skips” file in the root of you application.

If you have previously used this functionality, simply rename your “.sobelow” file “.sobelow-skips”.


  • Bug fixes
    • Sobelow will use “.sobelow-skips” instead of “.sobelow” in your root directory for --mark-skip-all


Sobelow occasionally checks for updates. Historically, it has stored a timestamp in the root of your application in the .sobelow file. You’ve likely noticed, and maybe even added it to .gitignore.

However, with v0.9.0, Sobelow got some much needed improvement to the false positive management. This functionality also uses .sobelow, so you might not want to ignore the file anymore.

To address these changes, the update timestamp has been moved to a global config file inside ~/.sobelow. You also will no longer have an annoying .sobelow file to ignore if you aren’t managing false positives. Yay!

This should not be a breaking change. And, as always, you can opt-out of the update check entirely using the --private flag.


  • Enhancements
    • Sobelow now uses “~/.sobelow/sobelow-vsn-check” for update checks
    • The “.sobelow” file in your project root is for --mark-skip-all only


Here’s an update with some small but important improvements!


  • Enhancements
    • Improved checks for all aliased functions
  • Bug Fixes
    • JSON output for Raw findings is now properly normalized
    • send_download correctly flags aliased function calls
    • send_download now correctly flags piped functions


This is another small update addressing an error you are unlikely to have run into!


  • Bug Fixes
    • Fix error that resulted from redefining imported functions


Recursive umbrella scans introduced a bug, and have been temporarily reverted.

The full release notes can be found below:

  • Bug Fixes
    • Revert umbrella app recursion


Sobelow has better support for managing false positives. Adding the --mark-skip-all flag to any scan will now mark all displayed findings as skippable. For large or complex projects with a high number of false positives, this should massively improve the experience of integrating Sobelow into your CI/CD pipeline.

Below is a demo of this new feature where we take the following steps:

  1. Scan the application.
  2. Review the findings (offscreen), and find that only the CSP finding is valid.
  3. --ignore the CSP finding to hide it from output, and add the --mark-skip-all flag.
  4. Run the scan with the --skip flag to hide skipped findings.

Metadata about skipped findings is stored in the .sobelow file at the root of your project. If you decide you no longer want to have your findings skipped, you can clear this data with the --clear-skip flag.

Less visible, but equally important, this update also comes with new CSRF checks, the ability to run Sobelow from the root of an umbrella app, bug fixes, and a handful of internal improvements!

NOTE You may need to uninstall previous versions of Sobelow for your update to succeed.

The full release notes can be found below:

  • Enhancements
    • Add --mark-skip-all and --clear-skip flags
    • New CSRF via action reuse checks
    • Sobelow can now be run in umbrella apps
  • Bug Fixes
    • Fix an error when printing some kinds of variables


The output for Sobelow has been improved, and is now more consistent across findings. If you are using the JSON output format, you will find that all findings now have three common keys, type, file and line. Some findings may have additional keys, but all are guaranteed to have these three.

Line output has been changed across the board, and now points directly to vulnerable function calls, rather than to the containing function. Where appropriate, this information is preserved in an additional header. For example, in Sobelow v0.7.8, a directory traversal finding would look something like the following:

Traversal.FileModule: Directory Traversal in `File.read!` - High Confidence
File: lib/phoenix_internals_web/controllers/page_controller.ex - index:4
Variable: input

def(index(conn, %{"input" => input})) do
  text(conn, File.read!(input))

This has been updated and improved for Sobelow v0.8.0.

Traversal.FileModule: Directory Traversal in `File.read!` - High Confidence
File: lib/phoenix_internals_web/controllers/page_controller.ex
Line: 5
Function: index:4
Variable: input

def(index(conn, %{"input" => input})) do
  text(conn, File.read!(input))

The full release notes can be found below:

  • Enhancements
    • Improve output consistency
      • All JSON findings contain type, file, and line keys
      • “Line” output now refers directly to the vulnerable line
      • Default output headers have been normalized


Sobelow now supports a --threshold flag. This can be used to filter out low-confidence findings, and may be especially useful in a CI pipeline. This flag accepts a threshold of low (default), medium, or high, and will only show findings that meet or exceed that confidence level. For example, to only see medium and high-confidence findings, run the following:

$ mix sobelow --threshold medium

Although this flag can be useful, be sure to continue validating low-confidence findings which may pose security issues.

This update also brings the first of several changes to scan outputs. In particular, finding module names are now included in the description, which should simplify the use of flags that take a module name as input.

Finally, the full update contents can be found below:

  • Enhancements
    • Add --threshold flag
    • Add module names to finding output
  • Deprecations
    • File/Path check has been deprecated
  • Bug Fixes
    • Fix inaccurate CSRF details