Executes the SAFE binary via System.cmd/3.
Arguments are passed as a list — no shell string is constructed — so there is no risk of command injection from user-controlled data such as the project path or config JSON.
Summary
Functions
Runs the SAFE binary with the given subcommand, streaming output line-by-line to stdout.
Runs safe sca with optional extra args forwarded verbatim.
Functions
Runs the SAFE binary with the given subcommand, streaming output line-by-line to stdout.
config_spec is either {:config_path, path} (pass --config-path <file>)
or {:config_json, json} (pass --config-json <inline_json>).
Returns :ok on exit code 0, or {:error, {subcommand_atom, exit_code}}
for any non-zero exit. Exit code 2 indicates vulnerabilities were found and
is treated as a distinct (non-fatal) result by the caller.
Runs safe sca with optional extra args forwarded verbatim.
Does not append --config-path or --project-root — the sca subcommand
does not accept those flags. Runs with cd: project_dir so the binary
auto-discovers mix.lock / rebar.lock in the project root.
Returns :ok on exit 0, {:error, {:sca, code}} otherwise.
Exit 2 means vulnerabilities found; exit 3 means warnings-as-errors triggered.