Jonatan Männchen

👉🏽 "From Freakout to Fix: Navigating a Security Disaster"

Our Foundation's CISO - @maennchen.dev - will be speaking at @elixirconf.bsky.social on how to handle serious security holes — without melting down.

📢 Don’t miss it: elixirconf.com/talks/from-f...

#ElixirLang #Security #BEAM

🎙️ @maennchen.dev joins the latest @openssf.org podcast!

In this SOSS episode, he shares how the Erlang community is proactively addressing security concerns, why manufacturers are investing in upstream projects — and what other ecosystems can learn from their approach.

Listen! shorturl.at/iKdG7

🎉 Today we celebrate #OpenSSFCommunity Day NA 2025, welcoming six new member organizations and honoring incredible contributors with the Golden Egg Awards 🥚.

Read the full update:
🌐 openssf.org/blog/2025/06...

#OpenSSF #OpenSource #SoftwareSecurity #OSS

🙌 Welcome to another #GettingToKnowUs edition!

This time we got to meet @maennchen.dev a seasoned developer and lead engineer, with contributions to projects like the certified #OpenID Connect client for the #BEAM. He is currently the CISO of our Foundation.

🔗 erlef.org/blog/marketi...

Watch out folks, there's a CVE for the Erlang zip module. Update to the latest patch release when you can
cna.erlef.org/cves/cve-202...

Security and the BEAM Ecosystem - Erlang Solutions In the second and final part, Jonatan Männchen on how the BEAM community is making security smarter and more collaborative.

In part two of our talk with @maennchen.dev (CISO at @theerlef.bsky.social), we dive into the real security challenges BEAM developers face.

From CVE tracking to practical tips for open source teams, this is about building safer systems from the start, not patching them too late.

🎥 bit.ly/45WjT3y

SAFE and OIDCC - Erlang Solutions Even secure code benefits from a second opinion. In part one, Jonatan Männchen shares how SAFE helped strengthen his authentication library.

Security is most effective when it is built in from day one. In part one of our latest webinars with @maennchen.dev, CISO @theerlef.bsky.social, he shares his experience using SAFE, our security audit service for Erlang and Elixir systems. 🔒

Release v1.19.0-rc.0 · elixir-lang/elixir Type system improvements Type checking of protocol dispatch and implementations This release also adds type checking when dispatching and implementing protocols. For example, string interpolation i...

Elixir 1.19 is a banger! Honestly I'm so pleased with the direction that #ElixirLang is going. My programs just get faster and more correct every time. I just know that we're in good hands. Thank you to everyone on the team for your hard work!

github.com/elixir-lang/...

Security and the BEAM Ecosystem - Erlang Solutions Jonatan Männchen shares how the BEAM community is improving security through better tracking, smarter tooling and shared responsibility.

🔐Security and the BEAM Ecosystem

In this insightful session organized by @erlangsolutions.bsky.social, @maennchen.dev — CISO at our Foundation —shares how the BEAM community is stepping up its open source security efforts, including becoming an official CNA

www.erlang-solutions.com/webinars/sec...

Did the required work this morning to get #AshFramework passing the OpenSSF Best Practices certification, and to get our OpenSSF Scorecard.

Thanks again to @maennchen.dev from @theerlef.bsky.social for his expert council and advice. See the scorecard here: scorecard.dev/viewer/?uri=...

#ElixirLang

FOSDEM 2025 - Hunting for GitHub Actions bugs with zizmor

Btw: This talk about zizmor at FOSDEM was quite good: fosdem.org/2025/schedul...

How to secure your GitHub Actions workflows with CodeQL In the last few months, we secured 75+ GitHub Actions workflows in open source projects, disclosing 90+ different vulnerabilities. Out of this research we produced new support for workflows in CodeQL,...

Also CodeQL from GitHub itself incorporates a lot of checks.

github.blog/security/app...

Harden CI by maennchen · Pull Request #6280 · phoenixframework/phoenix What’s changed Actions pinned to commit SHAs – Every third-party Action reference now points to an immutable Git commit instead of a moving tag. Least-privilege permissions – The workflow’s top-le...

I opened a PR for phoenix: github.com/phoenixframe...

But to get this problem sorted community-wide, we'll need a lot of maintainers to step up.

Calculate Dataset · erlef/beam-openssf-compliance-stats@8b77133 Project to generate statistics about OpenSSF Compliance in the BEAM ecosystem. - Calculate Dataset · erlef/beam-openssf-compliance-stats@8b77133

With a mean ScoreCard score of 5.3 in the ecosystem we can see that there's a lot to be improved in the ecosystem: github.com/erlef/beam-o...

Home Quickly assess open source projects for risky practices

I would recommend for every project on GitHub to have a look at OpenSSF ScoreCard. Not to chase a high number, but the checks are great for ensuring a safe CI. Stuff like Token Permissions, Branch Protection, Pinning Deps etc.

See: scorecard.dev#the-checks

On that point I fully agree. Actions should always be pinned to a Git SHA (Not a Tag since Tags can be mutated...)

For Example in Elixir that is implemented: scorecard.dev/viewer/?uri=...

The action does a lot of stuff like checking valid OTP / Elixir combos, reading Version files, supports multiple OS and architectures. All that needs to be handled.

This includes transitive deps. That doesn't sound that scary to me.

I don't think it's quite that bad. Most of the dependencies are for development like linters, formatters etc.

"$ npm ls -a --omit dev" shows 5 GitHub Dependencies and 4 non-GitHub Dependencies.

If we include ncc, the tool to create the dist JS files, there's one more.

YouTube video by Code Sync LT: EEF Update - Alistair Woodman, Jonatan Männchen, Dan Janowski | ElixirConf EU 2025

🎥 What’s new at the EEF?

Alistair Woodman, @maennchen.dev & Dan Janowski share big updates:

🔐 We’ve joined the CVE® Program as an official CNA
🛡️ Launched the Ægis Initiative to boost security

Must-watch for the BEAM community!
▶ youtu.be/5WqMpSt_rRE

A Letter From Ourselves by Zach Daniel - Goatmire Elixir Elixir has a storied past—but what does its future hold? In this session, we won’t be unveiling new features or delivering a roadmap. And yet, somehow, the future makes an appearance. Expect familiar…

Not an Ash talk. Not an Igniter talk.
Is easy to couple Zach Daniel to his massive efforts in the Ash framework but ever since I met him the phrase "Elixir ride or die" live rent-free in my head.

I must not say much about the talk itself. You need to see it.
goatmire.com/speaker/zach...
#elixirlang

From Freakout to Fix: Navigating a Security Disaster by Jonatan Männchen - Goatmire Elixir Picture this: you’re chugging coffee late at night when you realize your beloved library has a massive security hole. Worse yet, someone’s already posted a proof-of-concept exploit for the world to…

Serious monday for a serious topic.

Navigating security problems doesn't have to be all dread and cold sweat. Jonatan Männchen is the CISO of the Erlang Ecosystem Foundation. He will take you on the journey in his talk to get you ready.
goatmire.com/speaker/jona...
#elixirlang

✨Thanks to everyone who joined our talk at
@elixirconf.bsky.social! We loved sharing everything we’ve been working on — from the Foundation to the community.

Big shoutout to all the amazing speakers for the inspiring lightning talks, and to everyone who made this event so special!

#Elixirlang

#ElixirLang ❤️ @theerlef.bsky.social

I firmly believe the EEF will play an ever increasing role in the success of the Elixir ecosystem, and I intend to do my part to support them in this effort. Our community is growing and the need for coordination on things that impact us all grows alongside it. 👇

The EEF board 2025 Election Vote is over! 🗳

Cohort C contains the following new three members: @lawik.bsky.social, Lee Barney, @zachdaniel.dev 👏

We’re thankful for everyone who decided to get involved by running, and those who made their voices heard by voting.

erlef.org/blog/eef/ele...

New CVE Program Partner

Erlang Ecosystem Foundation is now a CVE Numbering Authority (CNA) assigning CVE IDs for vulnerabilities in active packages on Hex.pm + projects on GitHub under elixir-lang, erlang, erlef-cna, erlef, gleam-lang, & hexpm, unless covered by the scope of another CNA

cve.org/Media/News/i...

🚨We’ve officially joined the CVE® Program as an authorized CVE Numbering Authority!

🔐 This means we can now assign CVE IDs to publicly disclosed cybersecurity vulnerabilities in our defined scope, helping improve security and transparency in the broader open-source community

shorturl.at/0bOxC

I'll swing by as well, see you there 😄

📢 New API Key strategy for @ash-hq.org merged 🎉.

github.com/team-alembic...

Massive shoutout (once again) to @maennchen.dev at @theerlef.bsky.social for his invaluable guidance on implementing this securely. #AshFramework #ElixirLang

GitHub - erlef/mix-dependency-submission: Calculates dependencies for Mix and submits the list to the GitHub Dependency Submission API Calculates dependencies for Mix and submits the list to the GitHub Dependency Submission API - erlef/mix-dependency-submission

💫Just released: a GitHub Action to submit Elixir/Mix dependencies via GitHub's Dependency Submission API.

✅ Perfect for unlocking security alerts, dependency graphs, and Dependabot Security updates!

Check it out: github.com/erlef/mix-de...

#Elixirlang