DEV.co
Open-Source Security · rubysec

bundler-audit

bundler-audit is a Ruby gem that scans your project's dependencies for known security vulnerabilities by checking against the ruby-advisory-db. It identifies insecure gem versions and sources, supports ignoring known-safe advisories, and can be integrated into CI/CD pipelines with JSON output.

Source: GitHub — github.com/rubysec/bundler-audit
2.8k
GitHub stars
247
Forks
Ruby
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryrubysec/bundler-audit
Ownerrubysec
Primary languageRuby
LicenseGPL-3.0 — OSI-approved
Stars2.8k
Forks247
Open issues45
Latest releasev0.9.3 (2025-11-28)
Last updated2026-07-07
Sourcehttps://github.com/rubysec/bundler-audit

What bundler-audit is

A patch-level vulnerability scanner for Bundler that parses Gemfile.lock, cross-references gems against a local advisory database (ruby-advisory-db), detects vulnerable versions and insecure sources (http://, git://), and outputs results in human-readable or JSON format. Operates offline after database sync and integrates via rake tasks or CLI.

Quickstart

Get the bundler-audit source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/rubysec/bundler-audit.gitcd bundler-audit# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

CI/CD Security Gate

Integrate into pull request and deployment pipelines using `bundle-audit check --update` to fail builds when unpatched vulnerabilities are detected, blocking risky versions from reaching production.

Development Workflow Enforcement

Run locally or via rake tasks during development to catch vulnerable gem versions early, before they enter version control or shared environments.

Compliance & Audit Reporting

Generate JSON reports of vulnerable dependencies for security teams, compliance documentation, and tracking remediation progress across Ruby projects.

Implementation considerations

  • Requires Ruby >= 2.0.0, Bundler >= 1.2.0 (< 3), Thor ~> 1.0, and git for advisory database operations.
  • Configure `.bundler-audit.yml` in project root to maintain allowlists of acknowledged advisories; version control this file for team consistency.
  • Schedule `bundle-audit update` in CI before checks to ensure advisory database freshness; stale data may miss newly disclosed vulnerabilities.
  • Set up JSON output (`--format json --output bundle-audit.json`) for machine-readable reporting and integration with SIEM or vulnerability management tools.
  • Test ignore lists and custom Gemfile.lock paths locally before committing CI configuration to avoid blocking valid builds.

When to avoid it — and what to weigh

  • Non-Ruby Projects — bundler-audit is Ruby/Bundler-specific. Teams using other languages (Python, Node.js, Java) need different tools.
  • GPL-3.0 Incompatibility — GPL-3.0 requires derivative works and distributions to remain open-source. If proprietary software shipping must be kept closed, legal review is necessary.
  • Offline-Only Environments Without Prior Sync — The tool requires git to fetch ruby-advisory-db initially. Air-gapped networks must pre-sync or mirror the advisory database separately.
  • Real-Time Vulnerability Intelligence Needs — bundler-audit relies on manual `bundle-audit update` calls or scheduled CI jobs. It does not provide real-time push notifications or continuous monitoring dashboards.

License & commercial use

Licensed under GPL-3.0. This is a copyleft license requiring source disclosure and derivative-work licensing under GPL-3.0. Use as a library or tool in proprietary projects is permitted, but any modifications or distributions must comply with copyleft obligations.

Commercial use of bundler-audit as-is (unmodified tool in a workflow) is permitted under GPL-3.0. However, if you modify the source or redistribute bundler-audit, you must make modifications available under GPL-3.0 and license downstream work accordingly. Consult legal counsel before embedding or forking for proprietary products. Consider whether a permissive license alternative (Snyk CLI, Dependabot) aligns better with your commercial strategy.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

bundler-audit detects known vulnerabilities via local database comparison; it does not perform dynamic analysis or runtime exploit detection. Advisory accuracy depends on ruby-advisory-db curation and update frequency. Stale databases miss recent CVEs; establish a cadence for `bundle-audit update`. The tool does not validate gem source signatures or assess zero-days. Use alongside other measures (code review, SAST, runtime monitoring) for defense-in-depth.

Alternatives to consider

Dependabot (GitHub-native)

GitHub-integrated dependency scanning with automated PRs, native GitHub security tab, and no external tool setup. Better for teams already on GitHub; less control over remediation flow.

Snyk CLI

Multi-language support (Ruby, Python, Node.js, Java), real-time vulnerability database, richer remediation guidance, and commercial tiers. Requires authentication; more heavyweight than bundler-audit.

Gemnasium (acquired by GitLab)

GitLab-integrated vulnerability scanning with continuous monitoring. Suited for GitLab-centric workflows; limited flexibility outside GitLab ecosystem.

Software development agency

Build on bundler-audit with DEV.co software developers

Integrate bundler-audit into your development workflow today. Add vulnerability scanning to CI, detect insecure gems before production, and maintain compliance with automated audits.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

bundler-audit FAQ

Does bundler-audit require internet access?
Initial setup and `bundle-audit update` require git and internet to fetch ruby-advisory-db. After that, `bundle-audit check` runs offline against the cached database.
How often should I update the advisory database?
Unknown from documentation. Industry best practice: daily in CI, or tied to dependency update schedules. Check ruby-advisory-db repo for update frequency.
Can I use bundler-audit in a closed-source project?
Yes, as an unmodified tool. Modifications or redistribution require GPL-3.0 compliance. Consult legal if bundling into a distributed product.
What if bundler-audit reports a false positive or known-safe vulnerability?
Add the advisory ID to `.bundler-audit.yml` under `ignore:` with a comment explaining the decision. Version control the config so the team shares the same allowlist.

Work with a software development agency

DEV.co helps companies turn open-source tools like bundler-audit into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Secure Your Ruby Dependencies

Integrate bundler-audit into your development workflow today. Add vulnerability scanning to CI, detect insecure gems before production, and maintain compliance with automated audits.