Check for Vulnerabilities
Add it to your app using the instructions shown on the link above. Once installed you can run this command to check for vulnerabilities:
bundle exec bundle-audit
Run Checks on Every Pull Request
It's also pretty easy to run bundler-audit as a check on every PR submitted to your repo. GitHub Actions is a quick solution that can help accomplish this.
To create the Github action, create a ".github" directory in the root of your repo. Under this new directory, create a "workflows" directory that will house the .yml files that describe our github action.
In this new directory create a file (I called it bundle-audit.yml) and place the following contents into it:
name: Bundle Audit
on:
pull_request:
types:
- opened
- edited
- synchronize
jobs:
main:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Ruby 3.2
uses: ruby/setup-ruby@v1
with:
ruby-version: 3.2.1
- name: Cache gems
uses: actions/cache@v1
with:
path: vendor/bundle
key: ${{ runner.os }}-rubocop-${{ hashFiles('**/Gemfile.lock') }}
restore-keys: |
${{ runner.os }}-rubocop-
- name: Install gems
run: |
bundle config path vendor/bundle
bundle config set without 'default doc job cable storage ujs test db'
bundle install --jobs 4 --retry 3
- name: Run Bundle Audit
run: bundle exec bundle-audit
Set the ruby version you are using in the "jobs->main->steps-name->with" section above.
Once a PR is checked in, you should see a line for bundle-audit show up in the Github checks that are done before merging.
