Version: 1.5.0

rebar_safe – Rebar3 Plugin

rebar_safe integrates SAFE into Rebar3 projects (Erlang). It manages the SAFE binary automatically — downloading, verifying, and caching it — and exposes SAFE commands through the rebar3 CLI.

Requirements

OTP 25 or later
rebar3 3.18 or later
Linux or macOS (x86_64)

Installation

Add rebar_safe to the plugins list in rebar.config:

rebar.config
{plugins, [
  {rebar_safe, "1.0.2"}
]}.

Commands

Command	Description
`rebar3 safe fingerprint`	Generates `.safe/config.json` and `fingerprint.json` for licensing
`rebar3 safe analyse`	Runs security analysis. Exits non-zero if vulnerabilities are found
`rebar3 safe download`	Pre-downloads the SAFE binary without running a scan
`rebar3 safe version`	Displays the plugin version and the SAFE binary version

Workflow

One-time setup — run rebar3 safe fingerprint locally to generate .safe/config.json. Commit this file to your repository.
CI — run rebar3 safe analyse in your pipeline. The plugin downloads and SHA256-verifies the binary on first use and runs the analysis.

info

rebar3 safe fingerprint only needs to be re-run when your project structure changes significantly. The committed config.json is reused on every CI run.

Binary Management

The SAFE binary is cached in _build/safe/. The download is SHA256-verified before use. On first invocation the binary is downloaded automatically; subsequent runs use the cached copy.

tip

Add _build/safe to your CI cache to avoid re-downloading the binary on every pipeline run.

CI/CD

GitHub Actions example

.github/workflows/safe.yml
name: SAFE Security Scan

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]

jobs:
  safe:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: erlef/setup-beam@v1
        with:
          otp-version: '26'
          rebar3-version: '3.24.0'

      - name: Restore plugin binary cache
        uses: actions/cache@v4
        with:
          path: _build/safe
          key: safe-binary-${{ github.ref }}
          restore-keys: safe-binary-

      - name: Restore analysis state cache
        uses: actions/cache@v4
        with:
          path: ~/.safe
          key: safe-state-${{ github.ref }}-${{ github.sha }}
          restore-keys: |
            safe-state-${{ github.ref }}-
            safe-state-

      - name: Compile
        run: rebar3 compile

      - name: Run SAFE analysis
        run: rebar3 safe analyse
        env:
          SAFE_LICENSE: ${{ secrets.SAFE_LICENSE }}

For more CI examples (GitLab, CircleCI, Mix/Elixir), see the Setting Up in CI/CD page.

Exit Codes

Code	Meaning
`0`	Analysis completed successfully — no vulnerabilities found.
Non-zero	Vulnerabilities were found, or an error occurred.

Requirements​

Installation​

Commands​

Workflow​

Binary Management​

CI/CD​

GitHub Actions example​

Exit Codes​

Contents