Security Documentation by maennchen · Pull Request #49 · hexpm/specifications

maennchen · 2026-04-20T11:53:10Z

Add Security Documentation around Hex.pm.

maennchen · 2026-04-20T11:53:53Z

+### [Operations](./operations/incident-response.md)
+
+How we operate and respond to security events.
+
+- [Incident Response](./operations/incident-response.md) - Triage, response, notification
+- [Access Control](./operations/access-control.md) - Internal access principles


I did not have much to go on here.

@ericmj Could we collaborate to make this accurate?

maennchen · 2026-04-20T11:54:02Z

+
+### Production
+
+<!-- TODO: Verify production secrets management -->


I can add you to the hexpm-ops that holds our terraform, kubernetes, and fastly configuration if that would help verification.

That would be great, yes.

maennchen · 2026-04-20T11:54:09Z

+
+### Access Control
+
+<!-- TODO: Verify least privilege implementation -->


ericmj

This is really great, thank you! I added a couple of comments and questions.

ericmj · 2026-04-20T23:26:55Z

+
+### Production
+
+<!-- TODO: Verify production secrets management -->


I can add you to the hexpm-ops that holds our terraform, kubernetes, and fastly configuration if that would help verification.

ericmj · 2026-04-20T23:29:04Z

+
+## Deployment Controls
+
+Deployments are performed manually by core maintainers outside of GitHub infrastructure.


Our deployments happens through CI on hexpm-ops. We also have a Slack bot that can deploy, monitor deployments, and monitor container image builds. That's on https://github.com/hexpm/hexpm_deploy, I can add you to that too.

ericmj · 2026-04-21T09:39:36Z

+        Dev-->>Client: TOTP code
+    else Has API Key
+        Note over Client: Use API key directly
+        opt 2FA Enabled on Account


You cannot use 2FA with API key

ericmj · 2026-04-21T10:04:04Z

+    Client->>Client: Read repo config from mix.exs
+    Client->>Client: Identify private repos (org: "mycompany")
+
+    Note over Client,API: Authenticate for private repo


Should we show OAuth flow here also?

maennchen commented Apr 20, 2026

View reviewed changes

ericmj reviewed Apr 21, 2026

View reviewed changes

Comment thread security/threat-model/client-flows.md Outdated

Comment thread security/threat-model/client-flows.md Outdated

Comment thread security/threat-model/assets.md Outdated

maennchen force-pushed the sdlc-docs branch from 3f158e6 to 14936fa Compare April 22, 2026 20:17

Security Documentation

8b56162

maennchen force-pushed the sdlc-docs branch from 14936fa to 8b56162 Compare April 22, 2026 20:29


		### Production

		<!-- TODO: Verify production secrets management -->


		### Access Control

		<!-- TODO: Verify least privilege implementation -->


		## Deployment Controls

		Deployments are performed manually by core maintainers outside of GitHub infrastructure.

Conversation

maennchen commented Apr 20, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ericmj left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants