Audits Hex dependencies in mix.lock against two complementary
advisory sources:
mix_audit— Mirego's curatedelixir-security-advisoriesrepo, cloned into~/.local/share/. Hex-ecosystem-only, hand-reviewed entries.osv-scanner— Google's OSV.dev aggregator, which pulls the Erlef CNA feed alongside many other ecosystems. Tends to surface CVE-numbered advisories that Mirego hasn't ingested yet.
Running both is deliberate. They miss different things, and the
delta between them is what catches advisories the curated database
hasn't picked up. Findings dedupe on (advisory_id, package, version)
with osv-scanner winning on ties (CVSS-derived severity is the more
standard signal).
If osv-scanner isn't installed the layer still runs successfully
on mix_audit alone — the note records that the second source was
unavailable so the report is honest about coverage.