Hexorcist
Security alerts, for your Elixir apps
Hexorcist, is a small service for keeping an eye on your Elixir projects.
The idea is simple: add a project, paste in its mix.lock, and Hexorcist tracks the exact dependency snapshot the app is using. It checks those dependencies against the Elixir security advisory database, much like mix_audit, and also pulls update information from hex.pm.
If one of your dependencies has a known advisory, Hexorcist tells you clearly what is affected, what version fixes it, and which command to run. For example: update plug to a safe version with mix deps.update plug.
It also tracks ordinary dependency updates, grouped as patch, minor, or major releases, so you can see at a glance which projects are drifting behind.

You can add projects manually by pasting the whole mix.lock. Hexorcist parses it and only stores package names and versions.

For day-to-day use, there is also a post-commit git hook. When a commit changes mix.lock, the updated dependency snapshot can be pushed to Hexorcist automatically, without needing GitHub actions, a fancy CI pipeline, or a hosted repo.

The useful part is that Hexorcist keeps scanning after you leave the page. When a scheduled scan finds a new vulnerability in a dependency you are using, it emails you with the advisory and the recommended fix, so you do not have to remember to check a dashboard.
Applying the fix, not just hearing about it
The git hook pushes data in, and a scan emails you out but you still have to go and bump the dependency yourself. hexorcist_update closes that loop. It is a small command-line client that pulls a project's upgrade plan back from Hexorcist and applies it locally:
It has no runtime dependencies of its own, it uses what ships with Erlang and Elixir, so installing it won't touch your project's dependency tree.
Drop the project id in a committed .hexorcist.exs so it travels with the repo, grab your account token from your settings on hexorcist.net, and keep it in the environment (it's a secret, so never commit it). Then run it inside your checkout:
By default it only does what is safe: mix deps.update for versions that already fit your mix.exs constraints, leaving the mix.lock change as a diff for you to review.
Nothing is committed, and nothing is pushed. Think Dependabot or Renovate, but driven by Hexorcist's analysis and run on your own machine (or CI), no GitHub integration required.
Updates blocked by a version constraint are normally just reported. If you want, --edit-mix will go a step further and raise the literal {:dep, "~> x.y"} constraint to unlock a held-back major in your root mix.exs, or, for an umbrella project, in whichever apps/*/mix.exs actually declare the dependency. Anything it can't rewrite cleanly is left alone and reported instead, and any edit that doesn't actually unlock the update is reverted.
Your systems
Hexorcist is not just for Elixir; it can keep an eye on a FreeBSD host too. Paste the output of pkg query '%n %v', or have a cron job push it for you the same token-authenticated way as the git hook, and Hexorcist matches your installed packages against the FreeBSD vulnerability database (the same VuXML feed pkg audit uses).
As with mix.lock, it only stores package names and versions, nothing else. Each host shows how many advisories affect it and which package updates are waiting in your branch, quarterly or latest. And just like the dependency side, when a scheduled scan turns up a new vulnerability for a package you have installed, it emails you once with the advisory and the fix.
Try it here: Hexorcist