Secure Your Ruby / Rails App with bundler-audit

[JuanitoFatas]

bundler-audit

bundler-audit is a gem which provides patch-level verification for Bundler.

When you use Bundler, a lockfile Gemfile.lock will be generated in your project,
and bundler-audit scans your Gemfile.lock to see if you are:

• Using a vulnerable version of a gem
• Installing gems from an insecure source such as http:// or git@

Let's see how we can use bundler-audit.

First, install bundler-audit:

$ gem install bundler-audit

Let's take a look at an example. The following is the output ran against jollygoodcode/dasherize's Gemfile@1eaf973:

$ bundle-audit
Insecure Source URI found: git://github.com/rails/turbolinks.git
Vulnerabilities found!

Note that the command is bundle-audit instead of bundler-audit.

bundler-audit is warning us that an "Insecure Source URI" has been found, and that's because a gem is installed from an insecure source git://github.com which could be subjected to MITM attacks.

The solution is to either install the gem from https:// or use a released gem.

How does bundler-audit knows about all the vulnerabilities?

Beneath the hood, bundler-audit is using data from ruby-advisory-db to check your Gemfile.lock. And while bundler-audit comes with a vendored data, you should update the ruby-advisory-db data everytime before you run bundle-audit:

$ bundle-audit update

Hook bundler-audit to your CI Workflow

It's easy to integrate bundler-audit as part of your CI workflow,
and the following steps work for any Ruby projects (doesn't have to be Rails).

First, add a rake Task:

$ touch lib/bundler/audit/task.rb

With following content:

require "rake/tasklib"

module Bundler
  module Audit
    class Task < Rake::TaskLib
      def initialize
        define
      end

      protected

      def define
        namespace :bundle do
          desc "Updates the ruby-advisory-db then runs bundle-audit"
          task :audit do
            require "bundler/audit/cli"
            %w(update check).each do |command|
              Bundler::Audit::CLI.start [command]
            end
          end
        end
      end
    end
  end
end

If you run your specs or tests with rake, add this to Rakefile:

require_relative "lib/bundler/audit/task"
Bundler::Audit::Task.new

task default: "bundle:audit"

Or any other form of rake file: rakefile, Rakefile, rakefile.rb, Rakefile.rb.

Now when you run rake with this new rake task, rake will first run your tests,
and then update ruby-advisory-db before executing bundle-audit.

Secure your app with bundler-audit today!

The bundler-audit is brought to you by rubysec, kudos to @rubysec & @postmodern.

Thanks for reading!

@JuanitoFatas ✏️ Jolly Good Code

About Jolly Good Code

We specialise in Agile practices and Ruby, and we love contributing to open source.
Speak to us about your next big idea, or check out our projects.