codeclimate-bundler-audit is a Code Climate engine that wraps bundler-audit. You can run it on your command line using the Code Climate CLI, or on our hosted analysis platform.
bundler-audit offers patch-level verification for Bundler.
- If you haven't already, install the Code Climate CLI.
- Run
codeclimate engines:enable bundler-audit. This command both installs the engine and enables it in your.codeclimate.ymlfile. - You're ready to analyze! Browse into your project's folder and run
codeclimate analyze.
By default, bundler-audit will look for a Gemfile.lock file in the root of
your project. Optionally configure Code Climate to look at a different path:
plugins:
bundler-audit:
enabled: true
config:
path: optional/path/to/Gemfile.lockIn the same way you can ignore certain advisories that have been manually resolved:
# .codeclimate.yml
plugins:
bunlder-audit:
enabled: true
config:
ignore:
- CVE-YYYY-XXXXignore:[Array<String>] - A list of advisory IDs to ignore.
If you want to update the vulnerability database, run
make update_databaseFor help with bundler-audit, check out their documentation.
If you're running into a Code Climate issue, first look over this project's GitHub Issues, as your question may have already been covered. If not, go ahead and open a support ticket with us.