Formats/Hex

Secure, managed Hex repositories for Elixir and Erlang teams

Hex is the package manager for the BEAM ecosystem, used by Elixir and Erlang teams to share internal libraries at scale. Cloudsmith gives you a fully managed, private Hex repository with fine-grained access control, governance policies, and full audit trails - no infrastructure to run.

Universal format support

Simplify and streamline operations. Cloudsmith is a secure store for all packages, containers and assets.

  • Use Hex + 30 other formats
  • Store Elixir and Erlang packages alongside Docker images and OS binaries in a single platform
  • Centralize all software artifacts - packages, containers, and raw files - under one governed platform

How we support Hex

Cloudsmith gives Elixir and Erlang teams a fully managed, private Hex repository that works with native Mix and Rebar3 tooling out of the box.
    Private Hex Repository
    Push and pull packages using native mix hex.publish and mix deps.get commands. Cloudsmith acts as a fully compatible private Hex repository with no changes to your existing workflows.
    Package Governance and Policy
    Create and enforce governance policies that control which Hex packages are permitted in your repositories. Block specific versions, require metadata fields, or quarantine packages that do not meet your criteria before any team member installs them.
    CVE and Vulnerability Scanning
    Cloudsmith automatically scans your Hex packages for known CVEs and security vulnerabilities, giving your team confidence that every dependency in your supply chain has been checked before it reaches a developer machine or CI build.
    Global Distribution and Fast Fetches
    Packages are served from a CDN-backed network with 600+ edge points of presence worldwide. Wherever your Elixir and Erlang teams are located, dependency fetches stay fast and reliable.
    Access Control and Audit Trails
    Manage team access with granular, role-based permissions and SAML/SSO integration. Every upload, download, and policy action is recorded in immutable audit logs, giving you full traceability across your Hex supply chain.

Why teams choose Cloudsmith for Hex

Managing private Hex packages through hex.pm organisations or self-hosted registries introduces operational overhead, limited security controls, and no single view across your supply chain. Cloudsmith removes all of that.
Without CloudsmithPrivate packages are tied to hex.pm organisations, which offer basic user-level access control with no fine-grained permissions, no SAML/SSO integration, and no SCIM provisioning for larger teams.
With CloudsmithCloudsmith gives you role-based access control with SAML/SSO and SCIM support, so you can manage exactly who can publish or consume Hex packages, and onboard or offboard team members automatically.
Without CloudsmithVulnerability scanning for Hex dependencies requires third-party tooling like MixAudit installed and run separately in each project, creating inconsistent coverage and no centralised view of risk across repositories.
With CloudsmithCloudsmith scans every Hex package for CVEs automatically at upload time. Security findings are surfaced in one place, and governance policies can quarantine vulnerable packages before any build ever fetches them.
Without CloudsmithSelf-hosted Hex registries built on community projects require your team to manage infrastructure, handle uptime, and deal with operational overhead that takes engineering time away from product work.
With CloudsmithCloudsmith is fully managed with a guaranteed SLA. There is no server to run, no registry to patch, and no downtime to chase. Your team ships product; Cloudsmith handles the infrastructure.

Signs you're ready to switch to Cloudsmith for Hex

If your current Hex setup is creating friction for developers or leaving gaps in your security posture, Cloudsmith is the upgrade your team needs.
    No automated vulnerability scanning
    Your team is relying on manual mix deps.audit runs or bolt-on tools rather than continuous, automated scanning at the registry level. Cloudsmith scans every Hex package on upload so vulnerable packages never reach your builds.
    Access management that doesn't scale
    Managing individual hex.pm organisation memberships for dozens of engineers - with no SSO, no SCIM, and no fine-grained roles - becomes a security liability as your team grows. Cloudsmith integrates with your identity provider from day one.
    No governance over which packages enter your builds
    Without policy enforcement at the registry level, any team member can pull in an unapproved or outdated Hex dependency. Cloudsmith lets you define and enforce rules that block, quarantine, or require approval for packages that don't meet your standards.
    Hex packages siloed from the rest of your supply chain
    Your Hex packages, Docker images, and other artifacts all live in separate systems with no unified view. Cloudsmith consolidates all formats in one platform, giving your security and platform teams a single source of truth.
    Self-hosted infrastructure eating engineering time
    Running a custom Hex registry on S3 or a community project like MiniRepo means your team owns upgrades, backups, and availability. Cloudsmith is fully managed, so that operational burden disappears entirely.

Get started with Hex on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith acts as a fully compatible private Hex repository. You configure it as a repo in your mix.exs using mix hex.repo add, and from that point all standard commands - including mix deps.get, mix hex.publish, and mix hex.organization auth - work without any modifications to your workflow.

  2. Yes. Cloudsmith performs automatic CVE and vulnerability scanning on all Hex packages at upload time. Findings are surfaced in the Cloudsmith dashboard and you can configure governance policies to quarantine or block packages that contain known vulnerabilities before any team member fetches them.

  3. You can authenticate CI pipelines using API keys or OIDC-based token exchange, removing the need to store long-lived credentials. Generate a scoped API key from the Cloudsmith dashboard and pass it to mix hex.repo add, or use Cloudsmith's OIDC integration for keyless authentication in supported CI environments.

  4. Yes. Cloudsmith's policy engine lets you create rules that govern which packages can enter your repositories. You can block specific package versions, require metadata fields to be present, or automatically quarantine packages that do not meet your defined criteria before any build fetches them.

  5. Yes. Cloudsmith integrates with major identity providers via SAML 2.0, supporting SSO for all users. SCIM provisioning is also supported, enabling automatic user onboarding and offboarding as your team changes without manual management of individual repository memberships.

  6. Yes. A single Cloudsmith workspace supports 30+ package formats including Hex, Docker, NPM, Maven, Python, and more. This gives your security and platform teams a single source of truth for all software artifacts across every format your organisation uses.

  7. Cloudsmith distributes packages via a CDN-backed network with 600+ global edge points of presence. Teams in Europe, North America, and Asia-Pacific all benefit from low-latency dependency fetches, reducing the time your CI pipelines spend waiting on mix deps.get.

  8. Yes. You can upload existing Hex packages directly to Cloudsmith using the Cloudsmith CLI or REST API. Once migrated, you update your repo configuration in mix.exs to point at Cloudsmith, and your team's existing workflows continue without disruption.

  9. Cloudsmith records every package upload, download, policy action, and configuration change in immutable audit logs. You get a full timeline of who published or fetched which package and when, exportable for ingestion into your SIEM or third-party analytics tooling.

  10. Cloudsmith is fully managed. There is no server to provision, no registry software to install, and no infrastructure to maintain. Cloudsmith handles availability, scaling, backups, and upgrades, and provides a contractual SLA so your team can focus entirely on building software.

Formats

There’s more than just Hex on Cloudsmith