Code Quality Rank: L5
Monthly Downloads: 1,791,131
Programming language: Ruby
License: GNU General Public License v3.0 or later
Tags: Security     Projects    
Latest version: v0.9.1

bundler-audit alternatives and similar gems

Based on the "Security" category.
Alternatively, view bundler-audit alternatives based on common mentions on social networks and blogs.

Do you think we are missing an alternative of bundler-audit or a related project?

Add another 'Security' Gem



CI Code Climate Gem Version


Patch-level verification for bundler.


  • Checks for vulnerable versions of gems in Gemfile.lock.
  • Checks for insecure gem sources (http:// and git://).
  • Allows ignoring certain advisories that have been manually worked around.
  • Prints advisory information.
  • Does not require a network connection.


Audit a project's Gemfile.lock:

$ bundle-audit
Name: actionpack
Version: 3.2.10
Advisory: OSVDB-91452
Criticality: Medium
URL: http://www.osvdb.org/show/osvdb/91452
Title: XSS vulnerability in sanitize_css in Action Pack
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: actionpack
Version: 3.2.10
Advisory: OSVDB-91454
Criticality: Medium
URL: http://osvdb.org/show/osvdb/91454
Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: actionpack
Version: 3.2.10
Advisory: OSVDB-89026
Criticality: High
URL: http://osvdb.org/show/osvdb/89026
Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-91453
Criticality: High
URL: http://osvdb.org/show/osvdb/91453
Title: Symbol DoS vulnerability in Active Record
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-90072
Criticality: Medium
URL: http://direct.osvdb.org/show/osvdb/90072
Title: Ruby on Rails Active Record attr_protected Method Bypass
Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-89025
Criticality: High
URL: http://osvdb.org/show/osvdb/89025
Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11

Name: activesupport
Version: 3.2.10
Advisory: OSVDB-91451
Criticality: High
URL: http://www.osvdb.org/show/osvdb/91451
Title: XML Parsing Vulnerability affecting JRuby users
Solution: upgrade to ~> 3.1.12, >= 3.2.13

Unpatched versions found!

Update the ruby-advisory-db that bundle audit uses:

$ bundle-audit update
Updating ruby-advisory-db ...
remote: Counting objects: 44, done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 39 (delta 19), reused 29 (delta 10)
Unpacking objects: 100% (39/39), done.
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Updating 5f8225e..328ca86
 CONTRIBUTORS.md                    |  1 +
 gems/actionmailer/OSVDB-98629.yml  | 17 +++++++++++++++++
 gems/cocaine/OSVDB-98835.yml       | 15 +++++++++++++++
 gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++
 gems/sounder/OSVDB-96278.yml       | 13 +++++++++++++
 gems/wicked/OSVDB-98270.yml        | 14 ++++++++++++++
 6 files changed, 73 insertions(+)
 create mode 100644 gems/actionmailer/OSVDB-98629.yml
 create mode 100644 gems/cocaine/OSVDB-98835.yml
 create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml
 create mode 100644 gems/sounder/OSVDB-96278.yml
 create mode 100644 gems/wicked/OSVDB-98270.yml
ruby-advisory-db: 64 advisories

Update the ruby-advisory-db and check Gemfile.lock (useful for CI runs):

$ bundle-audit check --update

Checking the Gemfile.lock without updating the ruby-advisory-db:

$ bundle-audit check --no-update

Ignore specific advisories:

$ bundle-audit check --ignore OSVDB-108664

Checking a custom Gemfile.lock file:

$ bundle-audit check --gemfile-lock Gemfile.custom.lock

Output the audit's results in JSON:

$ bundle-audit check --format json

Output the audit's results in JSON, to a file:

$ bundle-audit check --format json --output bundle-audit.json

Rake Tasks

Bundler-audit provides rake tasks for checking the code and for updating its vulnerability database.

Simply add the following code to the Rakefile:

require 'bundler/audit/task'

The following rake tasks will then become available:

$ rake -T
rake bundle:audit
rake bundle:audit:update

Configuration File

bundler-audit also supports a per-project configuration file:


  - ...
  • ignore: [Array<String>] - A list of advisory IDs to ignore.

You can provide a path to a config file using the --config flag:

$ bundle-audit check --config bundler-audit.custom.yaml



$ [sudo] gem install bundler-audit


  • Debian / Ubuntu:
$ sudo apt install git
  • RedHat / Fedora:
$ sudo dnf install git
  • Alpine Linux:
$ apk add git
  • macOS:
$ brew install git


  1. https://github.com/rubysec/bundler-audit/fork
  2. git clone YOUR_FORK_URI
  3. cd bundler-audit/
  4. bundle install
  5. bundle exec rake spec
  6. git checkout -b YOUR_FEATURE
  7. Make your changes
  8. bundle exec rake spec
  9. git commit -a
  10. git push origin YOUR_FEATURE


Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)

bundler-audit is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

bundler-audit is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with bundler-audit. If not, see https://www.gnu.org/licenses/.

*Note that all licence references and agreements mentioned in the bundler-audit README section above are relevant to that project's source code only.