Question 1

How to ignore a specific advisory in bundler-audit?

Accepted Answer

Use the `--ignore` flag followed by the advisory ID (e.g., `bundle-audit check --ignore OSVDB-108664`) or create a `.bundler-audit.yml` file with an ignore list. This is useful for manually addressed vulnerabilities that don't require immediate action.

Question 2

bundler-audit vs. Brakeman for Ruby security?

Accepted Answer

bundler-audit scans Gemfile.lock for gem dependency vulnerabilities, while Brakeman analyzes Ruby application code for security issues like SQL injection. They are complementary tools; bundler-audit is best for dependency audits, and Brakeman for code-level security.

Question 3

Can bundler-audit work offline?

Accepted Answer

Yes, after running `bundle-audit update` to fetch the latest advisory database, it can scan vulnerabilities without an internet connection. This makes it suitable for secure or air-gapped environments where network access is restricted.

Question 4

How to integrate bundler-audit into a CI/CD pipeline?

Accepted Answer

Add a step in your CI configuration to run `bundle-audit check --update` and use the `--format json` flag for machine-readable output. It also supports Rake tasks for easier integration into Ruby-based workflows, as shown in the README.

Question 5

Does bundler-audit check for insecure gem sources?

Accepted Answer

Yes, it identifies insecure sources like HTTP and git protocols in the Gemfile.lock, helping enforce the use of secure HTTPS sources. This feature is listed in the synopsis and helps prevent man-in-the-middle attacks.

Question 6

What happens if the ruby-advisory-db is outdated?

Accepted Answer

If not updated regularly, bundler-audit may miss newly discovered vulnerabilities, reducing its effectiveness. The tool requires manual or automated updates via `bundle-audit update` to maintain accurate scanning results.

bundle-audit

What is bundle-audit?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions