Run Bundle Audit Against A Github Org

Bundle Audit is a great tool to check if the Ruby Gems used in your project have any known vulnerabilities. Most DevOps teams I know run this tool against their builds in their CI/CD process when deploying. This can mean that code that is not updated often can have vulnerable gems unless you have a way to continually monitor your projects.

I spent some time looking at a few solutions this week and I thought I might be able to do this with a crappy shell script™ and the GitHub API. So, this morning while watching cartoons (The new Carmen San Deigo series is excellent.) I wrote this:

https://gist.github.com/jgamblin/e91d25acec689e2cad1ff4b8b4a6e13c

After you grab a github token and update the scirpt, running it is as simple as:

./bundleauditgithub.sh OrgToTest

Since I was watching Netflix while writing this tool I decided to use them since they run a great bounty program on bugcrowd.

Their ruby repos where all up to date outside of Workflowable which they have archived but it makes a good example. Here are complete findings for that repo.

Overall this turned out to be a fairly simple project that I will get a lot of use out of.
If you have any questions let me know twitter at @jgamblin.

Site Footer