Add security audit CI workflow and contributing docs

NeatNerdPrime · NeatNerdPrime · commit 98f940ee1f5b · 2026-02-21T22:52:22.000+01:00
Introduces a non-blocking GitHub Actions workflow that runs bundler-audit
and ruby-audit on dependency changes, weekly schedule, and manual dispatch.
Documents local and CI usage in CONTRIBUTING.md.
diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml
@@ -0,0 +1,58 @@
+---
+name: Security Audit
+
+on:
+  pull_request:
+    paths:
+      - 'Gemfile'
+      - 'Gemfile.lock'
+      - '*.gemspec'
+  push:
+    branches:
+      - main
+    paths:
+      - 'Gemfile'
+      - 'Gemfile.lock'
+      - '*.gemspec'
+  schedule:
+    - cron: '0 8 * * MON'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+
+jobs:
+  audit:
+    name: Dependency & Ruby Audit
+    runs-on: ubuntu-24.04
+    continue-on-error: true
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true
+      - name: Run bundler-audit
+        id: bundler_audit
+        continue-on-error: true
+        run: bundle exec bundler-audit check --update
+      - name: Run ruby-audit
+        id: ruby_audit
+        continue-on-error: true
+        run: bundle exec ruby-audit check
+      - name: Audit summary
+        run: |
+          echo "## Security Audit Results" >> "$GITHUB_STEP_SUMMARY"
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          if [ "${{ steps.bundler_audit.outcome }}" = "success" ]; then
+            echo "- **bundler-audit**: No vulnerabilities found" >> "$GITHUB_STEP_SUMMARY"
+          else
+            echo "- **bundler-audit**: Vulnerabilities detected — review output above" >> "$GITHUB_STEP_SUMMARY"
+          fi
+          if [ "${{ steps.ruby_audit.outcome }}" = "success" ]; then
+            echo "- **ruby-audit**: No vulnerabilities found" >> "$GITHUB_STEP_SUMMARY"
+          else
+            echo "- **ruby-audit**: Vulnerabilities detected — review output above" >> "$GITHUB_STEP_SUMMARY"
+          fi
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -188,6 +188,37 @@ up` to create a `Windows Server 2016 Core` VM, and run tests with
 
     $ BOLT_WINRM_PORT=35985 BOLT_WINRM_SMB_PORT=3445 BOLT_WINRM_USER=vagrant BOLT_WINRM_PASSWORD=vagrant bundle exec rake ci:windows:agentful
 
+## Security Auditing
+
+OpenBolt includes [bundler-audit](https://github.com/rubysec/bundler-audit) and
+[ruby_audit](https://github.com/civisanalytics/ruby_audit) for scanning gem
+dependencies and the Ruby runtime against known CVEs.
+
+### Running locally
+
+Install the audit gems (included in the `:audit` Gemfile group) and run:
+
+    $ bundle exec bundler-audit check --update
+    $ bundle exec ruby-audit check
+
+`bundler-audit` scans the `Gemfile.lock` against the
+[ruby-advisory-db](https://github.com/rubysec/ruby-advisory-db).
+`ruby-audit` checks the running Ruby and RubyGems versions for known
+vulnerabilities.
+
+### CI workflow
+
+The `.github/workflows/audit.yaml` workflow runs both tools automatically:
+
+- On pull requests and pushes to `main` when `Gemfile`, `Gemfile.lock`, or
+  `*.gemspec` files change.
+- On a weekly schedule (Monday 08:00 UTC) to catch newly disclosed advisories.
+- Via manual dispatch.
+
+The workflow is **non-blocking** — vulnerabilities are reported in the GitHub
+Actions job summary but do not prevent merges. This allows the team to triage
+and address findings without halting development.
+
 ### `rubocop` on Windows
 
 To use `rubocop` on Windows, you must have a ruby install with a configured
