Rails developers responsible for maintaining production apps will regularly run bundler-audit to alert them to known vulnerabilities in the Ruby gems their apps depend on. Thank you to postmodern for creating and maintaining this vital tool for the Ruby community.
bundler-audit is a command line tool with a database of known gem vulnerabilities. It can update its database with the latest vulnerabilities and check your
Gemfile.lock to warn you of gem versions with known security issues.
When bundler-audit identifies a problem, it becomes your responsibility to handle updating the gem, or, under rare circumstances, ignoring its warnings if you’re confident your app is not vulnerable.
Please remember its up to you to run bundler-audit’s update command to refresh its database with the latest vulnerabilities. bundler-audit does not update its database automatically.
One way to begin to run bundler-audit regularly on your Rails projects is to make it part of your default Rake task, assuming you run the bare
rake command regularly.
Thank you to thoughtbot/suspenders for open-sourcing the code shown below for running bundler-audit as part of a default Rake task.
Call your soon-to-be-written
bundler:audit task as part of your default Rake task by editing the project
Rakefile as shown:
# File: ./Rakefile require File.expand_path('../config/application', __FILE__) Rails.application.load_tasks + +task default: 'bundler:audit'
bundler:audit Rake task by creating the
lib/tasks/bundler_audit.rake file with contents:
# File: ./lib/tasks/bundler_audit.rake if Rails.env.development? || Rails.env.test? require 'bundler/audit/cli' namespace :bundler do desc 'Updates the ruby-advisory-db and runs audit' task :audit do %w(update check).each do |command| Bundler::Audit::CLI.start [command] end end end end
bundler-audit gem to your
Gemfile in the
:development, :test group. The
require: false option is recommended so the gem is not loaded unless you are performing the
bundler:audit rake task:
group :development, :test do + gem 'bundler-audit', require: false ... end
bundle install to install the bundler-audit gem, then run
bin/rake to execute the default rake task.
Review the Rake output to ensure the
bundler:audit task did run.
Note you can also run
bin/rake bundler:audit to run only the new audit task.