Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Automatic Gemfile security audit for all your organizaition/user repos
tag: v0.1.0

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
bin
lib/bundler
spec
.gitignore
.travis.yml
Gemfile
Gemfile.lock
Rakefile
Readme.md
bundler-organization_audit.gemspec
gem-public_cert.pem

Readme.md

Audit all Gemfiles of a user/organization on Github for unpatched versions

gem install bundler-organization_audit

Usage

Public repos

For yourself (git config github.user)

bundle-organization-audit
parallel
No Gemfile.lock found

parllel_tests
bundle-audit
No unpatched versions found

rails_example_app
bundle-audit
Name: rack
Version: 1.4.4
CVE: 2013-0263
Criticality: High
URL: http://osvdb.org/show/osvdb/89939
Title: Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
Patched Versions: ~> 1.1.6, ~> 1.2.8, ~> 1.3.10, ~> 1.4.5, >= 1.5.2

Vulnerable:
https://github.com/grosser/rails_example_app

For someone elese

bundle-organization-audit --user grosser

Ignore gems (ignores repos that have a %{repo}.gemspec)

bundle-organization-audit --ignore-gems

For pipe -> only show vulnerable repos

bundle-organization-audit 2>/dev/null

Use for CI -> ignore old/unmaintained proejcts

bundle-organization-audit \
  --ignore https://github.com/xxx/a \
  --ignore https://github.com/xxx/b \
  --organization xxx \
  --token yyy

Private repos

# create a token that has access to your repositories
curl -v -u your-user-name -X POST https://api.github.com/authorizations --data '{"scopes":["repo"]}'
enter your password -> TOKEN

bundle-organization-audit --user your-user --token TOKEN --organization your-organization

Dev

  • test private repo fetching via cp spec/private{.example,}.yml and filling it out

Author

Michael Grosser
michael@grosser.it
License: MIT
Build Status

Something went wrong with that request. Please try again.