houllette
commented
1 year ago Hey @LGuichet! This sounds like a great add - do you have a code example or link to an open source project that has this type of configuration style I can test against?
Open LGuichet opened 1 year ago
houllette
commented
1 year ago Hey @LGuichet! This sounds like a great add - do you have a code example or link to an open source project that has this type of configuration style I can test against?
LGuichet
commented
1 year ago While I could not find any applied exemple, it can be found in the template phoenix uses when generating fresh apps. Here's the link to the runtime configuration file template
Runtime config has been introduced relatively recently with elixir v1.11 in 2020, and it aims amongst other things to phase out the release.exs file Here's J.Valim v1.11 ElixirConf talk about it
alvarezloaiciga
commented
4 months ago Hi @houllette , I have raised a PR to fix this, at least for the https one https://github.com/nccgroup/sobelow/pull/162
Phoenix HTTPS configuration is often done in the runtime.exs file. The production related config is inside the following block
if config_env() == :prod do #...When scanning for HTTPS enabling config, Sobelow only looks in the prod.exs file. It should also be able to check into the runtime.exs file to avoid false-positives, idealy selectively inside the above code block