capistrano-bundle_audit 0.0.1 → 0.0.2
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4f6157938e40feb73815c43c9bbbf5bdddc58492
|
4
|
+
data.tar.gz: a76db4d182893e2ff65e4aa815909ad4471443c2
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d32b94727ce50a46fdc4da9c97abd02f7bcb7d63c59f1cfa9e88859dc468c78739e18a2b7c39d9cfb39dd3fe7ee28db2524d5c97e3ec866a9093a07af89587d3
|
7
|
+
data.tar.gz: fc8cf08160e752b76523b1d03c4a316b0a9fb1fc771cfd0a22ab24d1b476ad45a9842990fab196984c9c5f222c24cf9f7fb4f42915cb67483e6e37a700843902
|
@@ -2,20 +2,28 @@ require 'tmpdir'
|
|
2
2
|
|
3
3
|
namespace :deploy do
|
4
4
|
namespace :check do
|
5
|
+
desc "Audit the Gemfile/Gemfile.lock for known vulnerabilities"
|
5
6
|
task :bundle_audit do
|
6
|
-
|
7
|
+
on roles(:app) do |host|
|
8
|
+
|
9
|
+
# Download the relevant files and run bundle-audit on them locally
|
7
10
|
Dir.mktmpdir do |dir|
|
8
11
|
Dir.chdir dir do
|
9
12
|
download! "#{release_path}/Gemfile.lock", "Gemfile.lock"
|
10
13
|
download! "#{release_path}/Gemfile", "Gemfile"
|
11
|
-
|
14
|
+
|
12
15
|
run_locally do
|
16
|
+
|
17
|
+
# Get the latest vulnerability information
|
13
18
|
execute "bundle-audit update &> /dev/null"
|
19
|
+
|
14
20
|
bundle_audit_output = capture "bundle-audit"
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
21
|
+
|
22
|
+
# bundle-audit includes failures for both gem vulnerabilities
|
23
|
+
# and insecure gem sources, and offers no way to distinguish those cases.
|
24
|
+
# unfortunately, we only want to fail when vulnerable gems are required.
|
25
|
+
if bundle_audit_output =~ /Name:/
|
26
|
+
fail "Bundle audit failed; update your vulnerable dependencies before deploying"
|
19
27
|
end
|
20
28
|
end
|
21
29
|
end
|
@@ -24,5 +32,5 @@ namespace :deploy do
|
|
24
32
|
end
|
25
33
|
end
|
26
34
|
|
27
|
-
|
35
|
+
after 'deploy:updating', 'deploy:check:bundle_audit' unless ENV['SKIP_BUNDLE_AUDIT']
|
28
36
|
end
|