Bundle Audit is a great tool to check if the Ruby Gems used in your project have any known vulnerabilities. Most DevOps teams I know run this tool against their builds in their CI/CD process when deploying. This can mean that code that is not updated often can have vulnerable gems unless you have a way to continually monitor your projects.
I spent some time looking at a few solutions this week and I thought I might be able to do this with a crappy shell script™ and the GitHub API. So, this morning while watching cartoons (The new Carmen San Deigo series is excellent.) I wrote this:
After you grab a github token and update the scirpt, running it is as simple as:
./bundleauditgithub.sh OrgToTestSince I was watching Netflix while writing this tool I decided to use them since they run a great bounty program on
Their ruby repos where all up to date outside of Workflowable which they have archived but it makes a good example. Here are complete findings for that repo.
Overall this turned out to be a fairly simple project that I will get a lot of use out of.
If you have any questions let me know twitter at @jgamblin.
