Rails Audit

Runs multiple audit and review tools to ensure quality and security of Rails projects

Usage

gem install rails-audit
rails-audit

Minor versions of the audit tools are fixed for a specific version of this gem. Apart from bug fixes in those tools, the code audit results should thus not vary if a specific version of this gem is included in a project's bundle.

Configuration

Additional parameters can be passed to any audit's binary by using a config/audit.yml file. A configuration for cane could look like the following:

Cane:
  Parameters: '--style-measure 120 --no-doc'

This can also be used to extend the command and e.g. redirect the output. (WARNING: Thi hase obvious security implications!) Suppressing the license_finder spinner, which is a good idea in CI, would work like this:

LicenseFinder:
  Paramters: '>/dev/null'

The audits' names are camel cased in the configuration file. They may be disabled like this:

BundleAudit:
  Enabled: false

Rails support may be disabled. Only pure Ruby audits are then executed:

Rails: false

To improve output to the expense of time concurreny can be disabled:

Concurrency: false

Audits

Brakeman

Brakeman is a security scanner for Rails.

bundler-audit

bundler-audit checks Gemfile.lock for any insecure gem versions.

Cane

Cane is a code quality checker. Configuration is done by parameters.

Consistency Fail

Consistency Fail detects missing unique indexes in Rails projects.

License Finder

License Finder checks Gemfiles for any dependencies with unapproved licenses. Approval and whitelisting is done through the license_finder binary.

rails_best_practices

rails_best_practices checks code for violations of the Rails Best Practices list. Configuration is done in the rails_best_practices.yml file, which can be generated using rails_best_practices -g.

Rubocop

Rubocop checks code for violations of the Ruby Style Guide. Configuration is done in the .rubocop.yml file. Rails cops are included automatically depending on whether or not Rails audits are enabled.