Gem authors regularly report security issues as responsible maintainers of open-source software. Unfortunately, unless you follow every Github repository for every gem that you use, it’s hard to keep up with news on the dozens of gems you use.
Luckily, we’re programmers who like to write tools for programmers.
Enter bundle-audit,
a handy gem to check
your Gemfile.lock for reported vulnerabilities.
It’s easy enough to update the latest vulnerabilities and scan your lockfile:
$ gem install bundler-audit
$ bundle-audit update
$ bundle-audit check
but who can be bothered to remember to run this frequently? As developers, we should rely on computers to do routine tasks, right?
Let’s add an automated check to our Continuous Integration service. In this case, we’re using CircleCI.
Note: If you’re using Travis, see Adam Prescott’s nice writeup for how to do the same there.
First, let’s add the gem to our development and test environments:
# Gemfile
group :development, :test do
gem 'bundler-audit', require: false
# ...
Now let’s add the appropriate command to our CircleCI build cascade:
dependencies:
pre:
- gem install bundler rake
post:
- bundle exec bundle-audit update && bundle exec bundle-audit check
I added this to the “dependencies” group
since it’s related to gems,
and ran it after everything else using post
to ensure I could run the gem executable.
That’s it! Now the build will break if one of our gems is insecure.
Written by Adarsh Pandit
Read more posts by Adarsh, and follow Adarsh on Twitter.