RubyAudit checks your current version of Ruby and RubyGems against known security vulnerabilities (CVEs), alerting you if you are using an insecure version. It complements bundler-audit, providing complete coverage for your Ruby stack. If you use Bundler, you should use both RubyAudit and bundler-audit.
RubyAudit is based on and leverages bundler-audit, and would not exist without the hard work of the rubysec team, specifically bundler-audit and ruby-advisory-db.
"If I have seen further it is by standing on the shoulders of Giants." -- Isaac Newton
Add this line to your application's Gemfile:
gem 'ruby_audit'
And then execute:
$ bundle
Or install it yourself as:
$ gem install ruby_audit
To check your current version of Ruby and RubyGems:
$ ruby-audit check
You can ignore specific advisories by specifying -i <advisory>
:
$ ruby-audit check -i CVE-2015-7551
By default, RubyAudit will check for updates to the ruby-advisory-db when it runs.
If you are using RubyAudit offline, you can bypass this check by specifying -n
:
$ ruby-audit check -n
After checking out the repo, run bin/setup
to install dependencies.
Then, run rake spec
to run the tests.
You can also run bin/console
for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install
.
To release a new version, update the version number in version.rb
, and then run bundle exec rake release
, which will create a git tag for the version, push git commits and tags, and push the .gem
file to rubygems.org.
See CONTRIBUTING.
RubyAudit is released under the GNU General Public License version 3.