Making Audit Logs on Hex.pm Public

Third-party libraries are one of the most important building blocks for modern software development. We can hardly build anything useful without depending on other's work. But this dependency introduces a significant security risk: malicious code can be injected to these third party libraries and get pulled into our application.

One way to inject malicious code is through the package manager. We've seen many such accidents in various package managers in the past years:

This security threat is out there targeting every language and every ecosystem.

And this is why Hex team has been working on securing the Elixir/Erlang package manager for so long.

  1. Hex.pm displays the package tarball checksum since 2017 Aug.
  2. A new outer checksum mechanism was introduced in 2019 July.
  3. Hex package differ was introduced in 2020 Jan.

All these features are aimed to help Elixir/Erlang developers to audit a package.1 Most importantly, Hexpm has been recording user actions as audit logs since 2016 Jan. These audit logs include info about what actions are performed on packages, when these actions are performed, and who performed these actions. So with these audit logs in place, we can know what actions are performed after an user account was compromised (if they published any new packages, added new owners to packages, etc.).

Now you can check these audit logs on Hexpm:

  1. Check who owns a package and who published a release.

    In a package's show page, Hexpm displays its owner and publishers for its releases.

    owners.png

  2. Check all actions performed around a package.

    Hexpm displays all recent activities for a package:

    package_recent_activities.png

    And you can see all activities related to this package in a dedicated page:

    package_all_activities.png

  3. Check all actions taken by your own user account.

    You can go to your account dashboard and check all your recent activities:

    user_activities.png

  4. Check all these audit logs via Hexpm API. If you have access to Hexpm API endpoints, you can fetch audit logs from the following endpoints:
    • GET /api/users/me/audit_logs
    • GET /api/orgs/:organization/audit_logs
    • GET /api/packages/:name/audit_logs
    • GET /api/repos/:repository/packages/:name/audit_logs

By making audit information public, everyone can review the full history of a package on Hexpm. Hopefully by doing so, we can bring more transparency to Hexpm and make our ecosystem more secure together.

Footnotes:

1

As a side note, Two Factor Auth was added to Hex.pm in 2020 May to help developers better secure their accounts.