Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Secure Your Ruby / Rails App with bundler-audit #8
bundler-audit is a gem which provides patch-level verification for Bundler.
When you use Bundler, a lockfile
Let's see how we can use bundler-audit.
First, install bundler-audit:
$ bundle-audit Insecure Source URI found: git://github.com/rails/turbolinks.git Vulnerabilities found!
Note that the command is
bundler-audit is warning us that an "Insecure Source URI" has been found, and that's because a gem is installed from an insecure source
The solution is to either install the gem from
How does bundler-audit knows about all the vulnerabilities?
Beneath the hood, bundler-audit is using data from ruby-advisory-db to check your Gemfile.lock. And while
Hook bundler-audit to your CI Workflow
It's easy to integrate bundler-audit as part of your CI workflow,
First, add a
$ touch lib/bundler/audit/task.rb
With following content:
require "rake/tasklib" module Bundler module Audit class Task < Rake::TaskLib def initialize define end protected def define namespace :bundle do desc "Updates the ruby-advisory-db then runs bundle-audit" task :audit do require "bundler/audit/cli" %w(update check).each do |command| Bundler::Audit::CLI.start [command] end end end end end end end
If you run your specs or tests with
require_relative "lib/bundler/audit/task" Bundler::Audit::Task.new task default: "bundle:audit"
Or any other form of rake file:
Now when you run
Secure your app with bundler-audit today!
Thanks for reading!
About Jolly Good Code