Ruby Security Scanning Gems

TL;DR

Several Ruby gems help find security vulnerabilities in your projects. Popular choices include brakeman (static analysis), bundler-audit (dependency checking), and resemble (finding potential regressions, which can sometimes indicate security issues). This guide explains how to use them.

1. Brakeman: Static Code Analysis

Brakeman scans your Ruby code for common vulnerabilities without actually running it. It’s great for catching problems early in development.

1. Install Brakeman: Add it to your Gemfile:

   gem 'brakeman'

   Then run bundle install

2. Run Brakeman: From your project directory, execute:

   brakeman

   This will output a report of any found vulnerabilities to the console. You can also specify a path:

   brakeman /path/to/your/app

3. Interpret Results: Brakeman reports issues with severity levels (high, medium, low). Focus on fixing high-severity problems first. The report will tell you the file and line number where the vulnerability exists, along with a description of the issue and how to fix it.

2. Bundler-Audit: Dependency Vulnerability Checking

bundler-audit checks your Gemfile.lock for known vulnerabilities in your project’s dependencies.

1. Install Bundler-Audit: Add it to your Gemfile:

   gem 'bundler-audit'

   Then run bundle install

2. Run Bundler-Audit: Execute the following command in your project directory:

   bundle audit

   This will scan your dependencies and report any vulnerabilities.

3. Update Dependencies: If vulnerabilities are found, update the affected gems to their latest versions using bundle update . Then re-run bundle audit to confirm the issue is resolved.

3. Resemble: Regression Detection (Potential Security Indicator)

While not a direct security scanner, resemble helps detect unintended changes in your application’s behaviour. Significant regressions *could* indicate that a security feature has been broken or bypassed.

1. Install Resemble: Add it to your Gemfile:

   gem 'resemble'

   Then run bundle install

2. Run Resemble: Resemble works by comparing the output of tests or specific requests between different versions of your code. For example, you can compare HTTP responses:

   resemble --url https://your-app.com/some_endpoint --diff

3. Investigate Differences: Carefully review any differences reported by Resemble. Determine if the changes are expected and safe. Unexpected changes should be investigated thoroughly, as they might indicate a security issue.

4. Other Useful Gems

• RuboCop-Security: A RuboCop plugin that adds security checks to your code style analysis. Requires RuboCop to be installed first.
• Safety: Another static analysis gem, similar to Brakeman.

5. Important Considerations

• False Positives: Security scanners can sometimes report false positives (issues that aren’t actually vulnerabilities). Always review the results carefully and use your judgment.
• Regular Scanning: Integrate security scanning into your development workflow. Run scans frequently, especially after making changes to dependencies or critical code sections. Consider using a CI/CD pipeline to automate this process.
• cyber security is an ongoing process: These tools are helpful but don’t replace thorough manual review and testing.