Rails developers responsible for maintaining production apps will regularly run bundler-audit to alert them to known vulnerabilities in the Ruby gems their apps depend on. Thank you to postmodern for creating and maintaining this vital tool for the Ruby community.
bundler-audit is a command line tool with a database of known gem vulnerabilities. It can update its database with the latest vulnerabilities and check your Gemfile.lock
to warn you of gem versions with known security issues.
When bundler-audit identifies a problem, it becomes your responsibility to handle updating the gem, or, under rare circumstances, ignoring its warnings if you’re confident your app is not vulnerable.
Please remember its up to you to run bundler-audit’s update command to refresh its database with the latest vulnerabilities. bundler-audit does not update its database automatically.
One way to begin to run bundler-audit regularly on your Rails projects is to make it part of your default Rake task, assuming you run the bare rake
command regularly.
Thank you to thoughtbot/suspenders for open-sourcing the code shown below for running bundler-audit as part of a default Rake task.
Call your soon-to-be-written bundler:audit
task as part of your default Rake task by editing the project Rakefile
as shown:
# File: ./Rakefile
require File.expand_path('../config/application', __FILE__)
Rails.application.load_tasks
+
+task default: 'bundler:audit'
Write the bundler:audit
Rake task by creating the lib/tasks/bundler_audit.rake
file with contents:
# File: ./lib/tasks/bundler_audit.rake
if Rails.env.development? || Rails.env.test?
require 'bundler/audit/cli'
namespace :bundler do
desc 'Updates the ruby-advisory-db and runs audit'
task :audit do
%w(update check).each do |command|
Bundler::Audit::CLI.start [command]
end
end
end
end
Add the bundler-audit
gem to your Gemfile
in the :development, :test
group. The require: false
option is recommended so the gem is not loaded unless you are performing the bundler:audit
rake task:
group :development, :test do
+ gem 'bundler-audit', require: false
...
end
Run bundle install
to install the bundler-audit gem, then run bin/rake
to execute the default rake task.
Review the Rake output to ensure the bundler:audit
task did run.
Note you can also run bin/rake bundler:audit
to run only the new audit task.