rubysec / bundler-audit

Patch-level verification for Bundler
GNU General Public License v3.0
2.68k stars 228 forks source link

Run audit automatically on `bundle` or `bundle install` command #386

Open Urist-McUristurister opened 1 year ago

Urist-McUristurister commented 1 year ago

Right now to audit the gems, you have to run a command manually or by using git hooks.

It really would be a nice touch to have an option to install bundler-audit as a bundler plugin (or maybe release it as a separate gem?), which would execute bundle-audit check -u -q on every bundle or bundle install command (maybe check if Gemfile.lock have actually changed, too?..), then either print a message and exit(1) on failure, or silently move on if everything is good.

Human memory is very unreliable, not everyone can remember to manually run the audit every time the Gemfile changes. This feature could really help improve the security.

postmodern commented 1 year ago

Appears that we just need to add a top-level plugins.rb file and add a after-install hook? https://bundler.io/guides/bundler_plugins.html#using-bundler-hooks

The plugin would be opt-in so you'd still need to add plugin 'bundler-audit' to your Gemfile.