RubyAudit: Tirelessly auditing Ruby and RubyGems so you don’t have to

February 4, 2016 Jeff Cousens

Security is hard. You’re busy writing code, but you also want to keep your application secure, so you’re doing double-duty developing new features and keeping an eye on vulnerabilities. You follow Hacker News and Reddit, but you know any good security strategy revolves around defense in depth, and you’re looking to add additional, automated tiers to help keep an eye on security for you. Fortunately, Ruby has some great tools to help you out.

bundler-audit is one such tool. It provides patch-level verification of your Gemfile, auditing your gems for security vulnerabilities so you don’t have to. It easily integrates into your continuous integration workflow, letting you focus on building software and trust that your build will fail when something needs attention. We use it every day, and couldn’t imagine maintaining a complex software application’s dependencies without it.

When CVE-2015-3900 was announced, we found ourselves looking for a similar tool to audit Ruby and RubyGems. To our surprise, we couldn’t find one. So we built it.

RubyAudit was written to complement bundler-audit, providing complete coverage for your Ruby stack. It behaves like bundler-audit, and integrates in the same way. For example, from our .travis.yml:


script:
  - ruby-audit
  - bundle-audit
  - rake

Now when an advisory is released, our build fails. We can immediately assign someone to work on upgrading our version of Ruby or RubyGems, ensuring a prompt response. In the meantime, we can get our build passing again by telling RubyAudit to ignore the advisory:


script:
  - ruby-audit -i CVE-2015-7551
  - bundle-audit
  - rake

This provides an automated tier that reinforces our other approaches to security, helping us stay on top of security advisories.

We’ve open-sourced RubyAudit on GitHub and published the gem to RubyGems.org. We encourage you to add it to your Gemfile, and welcome issues or pull requests.

As with many open-source projects, we do great things by building on top of those that came before. RubyAudit would not exist without the hard work of the rubysec team, specifically bundler-audit and ruby-advisory-db.

The post RubyAudit: Tirelessly auditing Ruby and RubyGems so you don’t have to appeared first on Civis Analytics.

Previous Article
Open Source at Civis Analytics
Open Source at Civis Analytics

Here at Civis Analytics, we love open source. We use Ruby on Rails, AngularJS, Docker, and Go (to name a fe...

Next Article
Why Data Scientist Tops Glassdoor’s List of Best Jobs in America for 2016
Why Data Scientist Tops Glassdoor’s List of Best Jobs in America for 2016

Last week, Glassdoor released their annual list of 25 Best Jobs in America and sure enough, Data Scientist ...