Run bundler-audit Regularly on Your Rails Apps with Rake

Posted byEliot Sykes

Rails developers responsible for maintaining production apps will regularly run bundler-audit to alert them to known vulnerabilities in the Ruby gems their apps depend on. Thank you to postmodern for creating and maintaining this vital tool for the Ruby community.

bundler-audit is a command line tool with a database of known gem vulnerabilities. It can update its database with the latest vulnerabilities and check your Gemfile.lock to warn you of gem versions with known security issues.

When bundler-audit identifies a problem, it becomes your responsibility to handle updating the gem, or, under rare circumstances, ignoring its warnings if you’re confident your app is not vulnerable.

Please remember its up to you to run bundler-audit’s update command to refresh its database with the latest vulnerabilities. bundler-audit does not update its database automatically.

One way to begin to run bundler-audit regularly on your Rails projects is to make it part of your default Rake task, assuming you run the bare rake command regularly.

Thank you to thoughtbot/suspenders for open-sourcing the code shown below for running bundler-audit as part of a default Rake task.

Call your soon-to-be-written bundler:audit task as part of your default Rake task by editing the project Rakefile as shown:

# File: ./Rakefile
require File.expand_path('../config/application', __FILE__)

Rails.application.load_tasks
+  
+task default: 'bundler:audit'

Write the bundler:audit Rake task by creating the lib/tasks/bundler_audit.rake file with contents:

# File: ./lib/tasks/bundler_audit.rake
if Rails.env.development? || Rails.env.test?
  require 'bundler/audit/cli'

  namespace :bundler do
    desc 'Updates the ruby-advisory-db and runs audit'
    task :audit do
      %w(update check).each do |command|
        Bundler::Audit::CLI.start [command]
      end
    end
  end
end

Add the bundler-audit gem to your Gemfile in the :development, :test group. The require: false option is recommended so the gem is not loaded unless you are performing the bundler:audit rake task:

group :development, :test do
+  gem 'bundler-audit', require: false
   ...
end

Run bundle install to install the bundler-audit gem, then run bin/rake to execute the default rake task.

Review the Rake output to ensure the bundler:audit task did run.

Note you can also run bin/rake bundler:audit to run only the new audit task.

Published by Eliot Sykes

I help teams grow their Rails apps and themselves as a Rails consultant and coach for Rails developers.