Add a default bin/bundle-audit configuration (rails#54695)

dhh · David Heinemeier Hansson · web-flow · commit bdaab704416e · 2025-03-06T10:43:45.000+01:00
* Add a default bin/bundle-audit configuration

Finding known security issues in the application's Gemfile should be
part of every CI flow.

* Include bundle-audit in Gemfile

* Config part of default generation

* Fix ext

* Include in api apps too

* Include in the generator

* Generate if missing

* Use rake style format

* Style

* Improve description

* Add CHANGELOG

* Use the right gem

* Match gem name

* Remember the binstubs!

* Include bundler-audit scan as part of the default GitHub CI

---------

Co-authored-by: David Heinemeier Hansson &lt;david@37signals.com&gt;
diff --git a/Gemfile b/Gemfile
@@ -147,6 +147,7 @@ group :test do
 
   # Needed for Railties tests because it is included in generated apps.
   gem "brakeman"
+  gem "bundler-audit"
 end
 
 platforms :ruby, :windows do
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -162,6 +162,9 @@ GEM
     brakeman (7.0.0)
       racc
     builder (3.3.0)
+    bundler-audit (0.9.2)
+      bundler (>= 1.2.0, < 3)
+      thor (~> 1.0)
     bunny (2.23.0)
       amq-protocol (~> 2.3, >= 2.3.1)
       sorted_set (~> 1, >= 1.0.2)
@@ -678,6 +681,7 @@ DEPENDENCIES
   bcrypt (~> 3.1.11)
   bootsnap (>= 1.4.4)
   brakeman
+  bundler-audit
   capybara (>= 3.39)
   connection_pool
   cssbundling-rails
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
@@ -1,3 +1,7 @@
+*   Add bin/bundler-audit and config/bundler-audit.yml for discovering and managing known security problems with app gems.
+
+    *DHH*
+
 *   Rails no longer generates a `bin/bundle` binstub when creating new applications.
 
     The `bin/bundle` binstub used to help activate the right version of bundler.
diff --git a/railties/lib/rails/generators/rails/app/app_generator.rb b/railties/lib/rails/generators/rails/app/app_generator.rb
@@ -127,6 +127,7 @@ def config
         template "routes.rb" unless options[:update]
         template "application.rb"
         template "environment.rb"
+        template "bundler-audit.yml"
         template "cable.yml" unless options[:update] || options[:skip_action_cable]
         template "puma.rb"
         template "storage.yml" unless options[:update] || skip_active_storage?
@@ -140,6 +141,7 @@ def config
     def config_when_updating
       action_cable_config_exist       = File.exist?("config/cable.yml")
       active_storage_config_exist     = File.exist?("config/storage.yml")
+      bundle_audit_config_exist       = File.exist?("config/bundler-audit.yml")
       rack_cors_config_exist          = File.exist?("config/initializers/cors.rb")
       assets_config_exist             = File.exist?("config/initializers/assets.rb")
       asset_app_stylesheet_exist      = File.exist?("app/assets/stylesheets/application.css")
@@ -169,6 +171,10 @@ def config_when_updating
         remove_file "config/initializers/cors.rb"
       end
 
+      if !bundle_audit_config_exist
+        template "config/bundler-audit.yml"
+      end
+
       if options[:api]
         unless csp_config_exist
           remove_file "config/initializers/content_security_policy.rb"
diff --git a/railties/lib/rails/generators/rails/app/templates/Gemfile.tt b/railties/lib/rails/generators/rails/app/templates/Gemfile.tt
@@ -54,6 +54,9 @@ gem "thruster", require: false
 group :development, :test do
   # See https://guides.rubyonrails.org/debugging_rails_applications.html#debugging-with-the-debug-gem
   gem "debug", platforms: %i[ mri windows ], require: "debug/prelude"
+
+  # Audits gems for known security defects (use config/bundler-audit.yml to ignore issues)
+  gem "bundler-audit", require: false
 <%- unless options.skip_brakeman? -%>
 
   # Static analysis for security vulnerabilities [https://brakemanscanner.org/]
diff --git a/railties/lib/rails/generators/rails/app/templates/bin/bundler-audit.tt b/railties/lib/rails/generators/rails/app/templates/bin/bundler-audit.tt
@@ -0,0 +1,5 @@
+require_relative "../config/boot"
+require "bundler/audit/cli"
+
+ARGV.concat %w[ --config config/bundler-audit.yaml ] if ARGV.empty? || ARGV.include?("check")
+Bundler::Audit::CLI.start
diff --git a/railties/lib/rails/generators/rails/app/templates/config/bundler-audit.yml.tt b/railties/lib/rails/generators/rails/app/templates/config/bundler-audit.yml.tt
@@ -0,0 +1,5 @@
+# Audit all gems listed in the Gemfile for known security problems by running bin/bundler-audit.
+# CVEs that are not relevant to the application can be enumerated on the ignore list below.
+#
+# ignore:
+#   - CVE-2018-25032
diff --git a/railties/lib/rails/generators/rails/app/templates/github/ci.yml.tt b/railties/lib/rails/generators/rails/app/templates/github/ci.yml.tt
@@ -23,6 +23,9 @@ jobs:
       - name: Scan for common Rails security vulnerabilities using static analysis
         run: bin/brakeman --no-pager
 
+      - name: Scan for known security vulnerabilities in gems used
+        run: bin/bundler-audit
+
 <% end -%>
 <%- if options[:javascript] == "importmap" && !options[:api] && !options[:skip_javascript] -%>
   scan_js:
diff --git a/railties/test/generators/api_app_generator_test.rb b/railties/test/generators/api_app_generator_test.rb
@@ -163,6 +163,7 @@ def default_files
         bin/setup
         config/application.rb
         config/boot.rb
+        config/bundler-audit.yml
         config/cable.yml
         config/environment.rb
         config/environments
diff --git a/railties/test/generators/app_generator_test.rb b/railties/test/generators/app_generator_test.rb
@@ -32,6 +32,7 @@
   app/views/pwa/manifest.json.erb
   app/views/pwa/service-worker.js
   bin/brakeman
+  bin/bundler-audit
   bin/dev
   bin/docker-entrypoint
   bin/rails
@@ -42,6 +43,7 @@
   config.ru
   config/application.rb
   config/boot.rb
+  config/bundler-audit.yml
   config/cable.yml
   config/credentials.yml.enc
   config/database.yml
diff --git a/railties/test/generators/plugin_generator_test.rb b/railties/test/generators/plugin_generator_test.rb
@@ -39,13 +39,15 @@
   test/dummy/app/views/layouts/mailer.text.erb
   test/dummy/app/views/pwa/manifest.json.erb
   test/dummy/app/views/pwa/service-worker.js
+  test/dummy/bin/bundler-audit
   test/dummy/bin/dev
   test/dummy/bin/rails
   test/dummy/bin/rake
   test/dummy/bin/setup
   test/dummy/config.ru
   test/dummy/config/application.rb
   test/dummy/config/boot.rb
+  test/dummy/config/bundler-audit.yml
   test/dummy/config/cable.yml
   test/dummy/config/database.yml
   test/dummy/config/environment.rb
