Gem authors regularly report security issues as responsible maintainers of open-source software. Unfortunately, unless you follow every Github repository for every gem that you use, it’s hard to keep up with news on the dozens of gems you use.
Luckily, we’re programmers who like to write tools for programmers.
a handy gem to check
Gemfile.lock for reported vulnerabilities.
It’s easy enough to update the latest vulnerabilities and scan your lockfile:
$ gem install bundler-audit $ bundle-audit update $ bundle-audit check
but who can be bothered to remember to run this frequently? As developers, we should rely on computers to do routine tasks, right?
Let’s add an automated check to our Continuous Integration service. In this case, we’re using CircleCI.
First, let’s add the gem to our development and test environments:
# Gemfile group :development, :test do gem 'bundler-audit', require: false # ...
Now let’s add the appropriate command to our CircleCI build cascade:
dependencies: pre: - gem install bundler rake post: - bundle exec bundle-audit update && bundle exec bundle-audit check
I added this to the “dependencies” group
since it’s related to gems,
and ran it after everything else using
to ensure I could run the gem executable.
That’s it! Now the build will break if one of our gems is insecure.