Adarsh Pandit

Software Developer

Automate Gem Vulnerability Checks

By Adarsh Pandit in rails

Gem authors regularly report security issues as responsible maintainers of open-source software. Unfortunately, unless you follow every Github repository for every gem that you use, it’s hard to keep up with news on the dozens of gems you use.

Luckily, we’re programmers who like to write tools for programmers.

Enter bundle-audit, a handy gem to check your Gemfile.lock for reported vulnerabilities.

It’s easy enough to update the latest vulnerabilities and scan your lockfile:

$ gem install bundler-audit
$ bundle-audit update
$ bundle-audit check

but who can be bothered to remember to run this frequently? As developers, we should rely on computers to do routine tasks, right?

Let’s add an automated check to our Continuous Integration service. In this case, we’re using CircleCI.

Note: If you’re using Travis, see Adam Prescott’s nice writeup for how to do the same there.

First, let’s add the gem to our development and test environments:

# Gemfile
group :development, :test do
  gem 'bundler-audit', require: false
  # ...

Now let’s add the appropriate command to our CircleCI build cascade:

    - gem install bundler rake
    - bundle exec bundle-audit update && bundle exec bundle-audit check

I added this to the “dependencies” group since it’s related to gems, and ran it after everything else using post to ensure I could run the gem executable.

That’s it! Now the build will break if one of our gems is insecure.

Written by Adarsh Pandit

Read more posts by Adarsh, and follow Adarsh on Twitter.