rails-guarddog 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: aa16a224273a4b8cb806307781b714908b081fbc7a6d245714bed775e6f99749
+  data.tar.gz: 9f5d59f9e0d7445a1a2c5c471c087881cd3524ed93f636ed27b64f3e439e3d01
+SHA512:
+  metadata.gz: f36099494083f49b05cb40792e1f092b013cdca187f1b01e8de5c340e9927cd7b4203c03900560e04e6bd5d4807687a14511e8d57d05043040e4e67b7b69ebc4
+  data.tar.gz: 0221476bc569b4025a2cadc8088de4961efbad611af4e1d465f14dac67aa7b37e7415a0089daad390b2944987d84b34e98a9cd8ce4606ad7c4e8f944b8ef6022

data/LICENSE

@@ -0,0 +1,17 @@
+MIT License
+
+Copyright (c) 2024 Rails GuardDog
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

data/README.md

@@ -0,0 +1,66 @@
+# Rails GuardDog 🐕
+
+Advanced security scanning for Rails applications. Beyond brakeman — AI injection, DoS patterns, supply chain attacks, GraphQL auth, and more.
+
+## Features
+
+### Core Checks
+- SQL Injection (improved detection)
+- XSS in views
+- CSRF protection
+- Mass assignment vulnerabilities
+- Open redirects
+- Hardcoded secrets (always-on)
+
+### Original Features ⭐
+- **AI/LLM Prompt Injection** — Detects user input flowing into LLM calls
+- **DoS & ReDoS Detection** — Regex catastrophe and unbounded query patterns
+- **Supply Chain** — Typosquatting detection with Levenshtein distance
+- **GraphQL Auth Gaps** — Missing field-level authorization
+- **Rate Limiting Audit** — Checks rack-attack configuration
+
+## Installation
+
+Add to Gemfile:
+```ruby
+gem 'rails-guarddog'
+```
+
+Run:
+```bash
+bundle install
+```
+
+## Usage
+
+### CLI
+```bash
+guarddog scan      # Console output
+guarddog report    # HTML + JSON reports
+```
+
+### Rake Tasks
+```bash
+rake guarddog:scan      # Run scan
+rake guarddog:report    # Generate reports
+rake guarddog:ci        # CI integration (exits 1 on critical)
+```
+
+## Report Formats
+
+- **Console** — Color-coded terminal output
+- **HTML** — Interactive dashboard with filtering
+- **JSON** — Structured format for CI/CD integration
+
+## Configuration
+
+Create `config/initializers/guarddog.rb`:
+```ruby
+Rails.application.config.guarddog.enabled_checkers = %w[
+  sql_injection xss csrf mass_assignment
+]
+```
+
+## License
+
+MIT

data/bin/guarddog

@@ -0,0 +1,17 @@
+#!/usr/bin/env ruby
+require 'rails/guarddog'
+
+if ARGV[0] == 'scan'
+  scanner = Rails::Guarddog::Scanner.new
+  findings = scanner.run
+  reporter = Rails::Guarddog::Reporters::ConsoleReporter.new(findings)
+  reporter.report
+elsif ARGV[0] == 'report'
+  scanner = Rails::Guarddog::Scanner.new
+  findings = scanner.run
+  html_reporter = Rails::Guarddog::Reporters::HtmlReporter.new(findings)
+  path = html_reporter.report
+  puts "Report generated: #{path}"
+else
+  puts "Usage: guarddog [scan|report]"
+end

data/lib/rails/guarddog/checkers/ai_injection_checker.rb

@@ -0,0 +1,31 @@
+module Rails
+  module Guarddog
+    module Checkers
+      class AiInjectionChecker < BaseChecker
+        AI_GEMS = %w[ruby-openai anthropic langchainrb openai]
+        
+        def run
+          glob_files('app/**/*.rb').each do |file|
+            content = File.read(file)
+            content.each_line.with_index do |line, idx|
+              # Check for AI gem calls with user input
+              if line.match?(/\.create.*messages/) || line.match?(/\.chat\.completions/)
+                if line.include?('params') || line.include?('user_input')
+                  add_finding(
+                    severity: :critical,
+                    message: "AI prompt injection risk: user input passed to LLM without sanitization",
+                    file: file,
+                    line: idx + 1,
+                    snippet: line.strip,
+                    remediation: "Sanitize user input before passing to LLM; use system prompts safely"
+                  )
+                end
+              end
+            end
+          end
+          findings
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/checkers/base_checker.rb

@@ -0,0 +1,36 @@
+module Rails
+  module Guarddog
+    module Checkers
+      class BaseChecker
+        attr_accessor :findings
+
+        def initialize(root = Rails.root.to_s)
+          @root = root
+          @findings = []
+        end
+
+        def run
+          raise NotImplementedError, "Subclasses must implement run"
+        end
+
+        protected
+
+        def add_finding(severity:, message:, file:, line:, snippet: "", remediation: "")
+          findings << Finding.new(
+            severity: severity,
+            category: self.class.name.demodulize.gsub(/Checker$/, ''),
+            message: message,
+            file: file,
+            line: line,
+            code_snippet: snippet,
+            remediation: remediation
+          )
+        end
+
+        def glob_files(pattern)
+          Dir.glob(File.join(@root, pattern))
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/checkers/csrf_checker.rb

@@ -0,0 +1,24 @@
+module Rails
+  module Guarddog
+    module Checkers
+      class CsrfChecker < BaseChecker
+        def run
+          glob_files('app/controllers/**/*.rb').each do |file|
+            content = File.read(file)
+            has_skip = content.include?('skip_before_action :verify_authenticity_token')
+            if has_skip && !content.include?('# CSRF disabled for specific reason')
+              add_finding(
+                severity: :critical,
+                message: "CSRF protection disabled without documented reason",
+                file: file,
+                line: 1,
+                remediation: "Remove skip_before_action or add documented reason"
+              )
+            end
+          end
+          findings
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/checkers/dependency_checker.rb

@@ -0,0 +1,27 @@
+module Rails
+  module Guarddog
+    module Checkers
+      class DependencyChecker < BaseChecker
+        def run
+          gemfile = File.join(@root, 'Gemfile.lock')
+          return [] unless File.exist?(gemfile)
+          
+          content = File.read(gemfile)
+          
+          # Check for typosquatted gems
+          if content.match?(/raills|raill\s|rails-rails|active-model/) 
+            add_finding(
+              severity: :critical,
+              message: "Possible typosquatted gem detected in Gemfile.lock",
+              file: gemfile,
+              line: 1,
+              remediation: "Verify gem names carefully; check rubygems.org"
+            )
+          end
+          
+          findings
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/checkers/dos_checker.rb

@@ -0,0 +1,38 @@
+module Rails
+  module Guarddog
+    module Checkers
+      class DosChecker < BaseChecker
+        def run
+          glob_files('app/**/*.rb').each do |file|
+            content = File.read(file)
+            content.each_line.with_index do |line, idx|
+              # Check for unbounded queries
+              if line.match?(/\.where\(.*\)\.all/) || line.match?(/\.all\s*$/)
+                add_finding(
+                  severity: :high,
+                  message: "Potential DoS: unbounded database query without limit",
+                  file: file,
+                  line: idx + 1,
+                  snippet: line.strip,
+                  remediation: "Add .limit() to control result size"
+                )
+              end
+              # Check for regex vulnerabilities
+              if line.match?(/\/.+\*\+.*\*\+.+\//) || line.match?(/match\?.*\(.+\*\+/)
+                add_finding(
+                  severity: :high,
+                  message: "Potential ReDoS vulnerability: dangerous regex pattern",
+                  file: file,
+                  line: idx + 1,
+                  snippet: line.strip,
+                  remediation: "Simplify regex or use timeout mechanisms"
+                )
+              end
+            end
+          end
+          findings
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/checkers/graphql_checker.rb

@@ -0,0 +1,27 @@
+module Rails
+  module Guarddog
+    module Checkers
+      class GraphqlChecker < BaseChecker
+        def run
+          glob_files('app/graphql/**/*.rb').each do |file|
+            content = File.read(file)
+            
+            if content.include?('field') || content.include?('def resolve')
+              unless content.include?('authorize') || content.include?('current_user')
+                add_finding(
+                  severity: :high,
+                  message: "GraphQL field missing authorization check",
+                  file: file,
+                  line: 1,
+                  snippet: "GraphQL resolver without auth",
+                  remediation: "Add authorization: authorize @object or Pundit check"
+                )
+              end
+            end
+          end
+          findings
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/checkers/idor_checker.rb

@@ -0,0 +1,26 @@
+module Rails
+  module Guarddog
+    module Checkers
+      class IdorChecker < BaseChecker
+        def run
+          glob_files('app/controllers/**/*.rb').each do |file|
+            content = File.read(file)
+            content.each_line.with_index do |line, idx|
+              if line.match?(/find\(params\[[:']id[']\]/) && !content.include?('authorize')
+                add_finding(
+                  severity: :high,
+                  message: "Potential IDOR: object accessed by ID without ownership check",
+                  file: file,
+                  line: idx + 1,
+                  snippet: line.strip,
+                  remediation: "Add authorization check: authorize @object"
+                )
+              end
+            end
+          end
+          findings
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/checkers/mass_assignment_checker.rb

@@ -0,0 +1,28 @@
+module Rails
+  module Guarddog
+    module Checkers
+      class MassAssignmentChecker < BaseChecker
+        def run
+          glob_files('app/**/*.rb').each do |file|
+            content = File.read(file)
+            content.each_line.with_index do |line, idx|
+              if line.include?('permit!') || line.include?('permit(:')
+                if line.include?('permit!')
+                  add_finding(
+                    severity: :critical,
+                    message: "Mass assignment vulnerability: permit! allows all parameters",
+                    file: file,
+                    line: idx + 1,
+                    snippet: line.strip,
+                    remediation: "Use specific permits: permit(:field1, :field2)"
+                  )
+                end
+              end
+            end
+          end
+          findings
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/checkers/open_redirect_checker.rb

@@ -0,0 +1,26 @@
+module Rails
+  module Guarddog
+    module Checkers
+      class OpenRedirectChecker < BaseChecker
+        def run
+          glob_files('app/controllers/**/*.rb').each do |file|
+            content = File.read(file)
+            content.each_line.with_index do |line, idx|
+              if line.match?(/redirect_to\s+params\[:/) || line.match?(/redirect_to\s+request\./)
+                add_finding(
+                  severity: :high,
+                  message: "Potential open redirect: user-controlled redirect URL",
+                  file: file,
+                  line: idx + 1,
+                  snippet: line.strip,
+                  remediation: "Whitelist allowed redirect URLs"
+                )
+              end
+            end
+          end
+          findings
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/checkers/rate_limit_checker.rb

@@ -0,0 +1,33 @@
+module Rails
+  module Guarddog
+    module Checkers
+      class RateLimitChecker < BaseChecker
+        def run
+          config_file = File.join(@root, 'config/initializers/rack_attack.rb')
+          
+          if !File.exist?(config_file)
+            add_finding(
+              severity: :medium,
+              message: "Rate limiting not configured: rack_attack.rb missing",
+              file: config_file,
+              line: 1,
+              remediation: "Create config/initializers/rack_attack.rb with rate limiting rules"
+            )
+          else
+            content = File.read(config_file)
+            unless content.include?('throttle') && (content.include?('login') || content.include?('api'))
+              add_finding(
+                severity: :medium,
+                message: "Rate limiting rules not configured for critical endpoints",
+                file: config_file,
+                line: 1,
+                remediation: "Add throttle rules for /login, /api/auth, /password_reset"
+              )
+            end
+          end
+          findings
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/checkers/secrets_checker.rb

@@ -0,0 +1,37 @@
+module Rails
+  module Guarddog
+    module Checkers
+      class SecretsChecker < BaseChecker
+        PATTERNS = [
+          /api[_-]?key\s*[=:]\s*['"][^'"]+['"]/i,
+          /secret[_-]?key\s*[=:]\s*['"][^'"]+['"]/i,
+          /password\s*[=:]\s*['"][^'"]+['"]/i,
+          /token\s*[=:]\s*['"][^'"]+['"]/i
+        ]
+
+        def run
+          %w[*.rb *.yml .env .env.local].each do |pattern|
+            glob_files("**/{#{pattern}}").each do |file|
+              next if file.include?('node_modules') || file.include?('vendor')
+              content = File.read(file) rescue next
+              content.each_line.with_index do |line, idx|
+                PATTERNS.each do |pattern|
+                  if line.match?(pattern) && !line.strip.start_with?('#')
+                    add_finding(
+                      severity: :critical,
+                      message: "Hardcoded secret detected",
+                      file: file,
+                      line: idx + 1,
+                      remediation: "Use ENV variables or Rails credentials"
+                    )
+                  end
+                end
+              end
+            end
+          end
+          findings
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/checkers/sql_injection_checker.rb

@@ -0,0 +1,26 @@
+module Rails
+  module Guarddog
+    module Checkers
+      class SqlInjectionChecker < BaseChecker
+        def run
+          glob_files('app/**/*.rb').each do |file|
+            content = File.read(file)
+            content.each_line.with_index do |line, idx|
+              if line.match?(/\.where\s*\(\s*['"]\s*#{.*}/) || line.match?(/\.find_by_sql\s*\(/)
+                add_finding(
+                  severity: :high,
+                  message: "Potential SQL injection: using string interpolation in queries",
+                  file: file,
+                  line: idx + 1,
+                  snippet: line.strip,
+                  remediation: "Use parameterized queries: .where('column = ?', value)"
+                )
+              end
+            end
+          end
+          findings
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/checkers/xss_checker.rb

@@ -0,0 +1,26 @@
+module Rails
+  module Guarddog
+    module Checkers
+      class XssChecker < BaseChecker
+        def run
+          glob_files('app/views/**/*.erb').each do |file|
+            content = File.read(file)
+            content.each_line.with_index do |line, idx|
+              if line.include?('<%=') && (line.include?('params') || line.include?('@')) && !line.include?('sanitize') && !line.include?('h(')
+                add_finding(
+                  severity: :high,
+                  message: "Potential XSS vulnerability: unsanitized user input in view",
+                  file: file,
+                  line: idx + 1,
+                  snippet: line.strip,
+                  remediation: "Use <%= h() %> or sanitize() helper"
+                )
+              end
+            end
+          end
+          findings
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/configuration.rb

@@ -0,0 +1,21 @@
+module Rails
+  module Guarddog
+    class Configuration
+      attr_accessor :root, :enabled_checkers, :excluded_paths, :output_format
+
+      def initialize
+        @root = Rails.root.to_s
+        @enabled_checkers = all_checkers
+        @excluded_paths = %w[vendor spec test node_modules]
+        @output_format = :console
+      end
+
+      def all_checkers
+        %w[
+          sql_injection xss csrf mass_assignment open_redirect secrets
+          dos idor ai_injection rate_limit dependency graphql
+        ]
+      end
+    end
+  end
+end

data/lib/rails/guarddog/finding.rb

@@ -0,0 +1,29 @@
+module Rails
+  module Guarddog
+    class Finding
+      attr_accessor :severity, :category, :message, :file, :line, :code_snippet, :remediation
+
+      def initialize(severity:, category:, message:, file:, line:, code_snippet: "", remediation: "")
+        @severity = severity
+        @category = category
+        @message = message
+        @file = file
+        @line = line
+        @code_snippet = code_snippet
+        @remediation = remediation
+      end
+
+      def to_h
+        {
+          severity: severity,
+          category: category,
+          message: message,
+          file: file,
+          line: line,
+          code_snippet: code_snippet,
+          remediation: remediation
+        }
+      end
+    end
+  end
+end

data/lib/rails/guarddog/railtie.rb

@@ -0,0 +1,11 @@
+module Rails
+  module Guarddog
+    class Railtie < Rails::Railtie
+      rake_tasks do
+        load "tasks/guarddog.rake"
+      end
+
+      config.guarddog = Configuration.new
+    end
+  end
+end

data/lib/rails/guarddog/reporters/console_reporter.rb

@@ -0,0 +1,35 @@
+module Rails
+  module Guarddog
+    module Reporters
+      class ConsoleReporter
+        def initialize(findings)
+          @findings = findings
+        end
+
+        def report
+          puts "\n" + "="*60
+          puts "Rails GuardDog Security Report".center(60)
+          puts "="*60 + "\n"
+
+          if @findings.empty?
+            puts "✓ No security issues found!".green
+            return
+          end
+
+          @findings.group_by(&:severity).each do |severity, findings|
+            puts "\n[#{severity.upcase}] (#{findings.count})"
+            findings.each do |finding|
+              puts "  #{finding.category} — #{finding.message}"
+              puts "    #{finding.file}:#{finding.line}"
+              puts "    Fix: #{finding.remediation}\n"
+            end
+          end
+
+          puts "\n" + "="*60
+          puts "Total findings: #{@findings.count}"
+          puts "="*60 + "\n"
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/reporters/html_reporter.rb

@@ -0,0 +1,103 @@
+module Rails
+  module Guarddog
+    module Reporters
+      class HtmlReporter
+        def initialize(findings)
+          @findings = findings
+        end
+
+        def report(output_path = "guarddog_report.html")
+          html = generate_html
+          File.write(output_path, html)
+          output_path
+        end
+
+        private
+
+        def generate_html
+          severity_breakdown = @findings.group_by(&:severity).transform_values(&:count)
+          
+          html = <<~HTML
+            <!DOCTYPE html>
+            <html>
+            <head>
+              <meta charset="UTF-8">
+              <title>Rails GuardDog Security Report</title>
+              <style>
+                * { box-sizing: border-box; }
+                body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; margin: 0; padding: 20px; background: #f5f5f5; }
+                .container { max-width: 1200px; margin: 0 auto; background: white; padding: 30px; border-radius: 8px; box-shadow: 0 1px 3px rgba(0,0,0,0.1); }
+                h1 { color: #333; margin-top: 0; }
+                .stats { display: grid; grid-template-columns: repeat(4, 1fr); gap: 16px; margin: 20px 0; }
+                .stat-card { padding: 16px; border-radius: 6px; text-align: center; }
+                .stat-card.critical { background: #fee; color: #c00; }
+                .stat-card.high { background: #fef3cd; color: #856404; }
+                .stat-card.medium { background: #cfe2ff; color: #084298; }
+                .stat-card.low { background: #d1e7dd; color: #0f5132; }
+                .stat-card h3 { margin: 0 0 10px; font-size: 28px; }
+                .stat-card p { margin: 0; font-size: 12px; }
+                .findings { margin-top: 30px; }
+                .finding { border-left: 4px solid #ccc; padding: 16px; margin: 16px 0; background: #fafafa; border-radius: 4px; }
+                .finding.critical { border-color: #c00; background: #fee; }
+                .finding.high { border-color: #ff9800; background: #fff3cd; }
+                .finding.medium { border-color: #2196f3; background: #d1ecf1; }
+                .finding.low { border-color: #4caf50; background: #d4edda; }
+                .finding-severity { font-weight: bold; font-size: 12px; text-transform: uppercase; }
+                .finding-title { font-size: 16px; font-weight: 600; margin: 8px 0; }
+                .finding-meta { font-size: 13px; color: #666; margin: 8px 0; }
+                .finding-code { background: #f0f0f0; padding: 10px; border-radius: 4px; font-family: monospace; font-size: 12px; margin: 8px 0; overflow-x: auto; }
+                .finding-remediation { margin-top: 10px; padding: 10px; background: rgba(0,0,0,0.05); border-radius: 4px; font-size: 13px; }
+              </style>
+            </head>
+            <body>
+              <div class="container">
+                <h1>🐕 Rails GuardDog Security Report</h1>
+                <p>Generated: #{Time.now.strftime("%Y-%m-%d %H:%M:%S")}</p>
+                
+                <div class="stats">
+                  <div class="stat-card critical">
+                    <h3>#{severity_breakdown[:critical] || 0}</h3>
+                    <p>Critical</p>
+                  </div>
+                  <div class="stat-card high">
+                    <h3>#{severity_breakdown[:high] || 0}</h3>
+                    <p>High</p>
+                  </div>
+                  <div class="stat-card medium">
+                    <h3>#{severity_breakdown[:medium] || 0}</h3>
+                    <p>Medium</p>
+                  </div>
+                  <div class="stat-card low">
+                    <h3>#{severity_breakdown[:low] || 0}</h3>
+                    <p>Low</p>
+                  </div>
+                </div>
+
+                <div class="findings">
+          HTML
+
+          @findings.each do |finding|
+            html += %{
+              <div class="finding #{finding.severity}">
+                <div class="finding-severity">#{finding.severity.upcase}</div>
+                <div class="finding-title">#{finding.category} - #{finding.message}</div>
+                <div class="finding-meta">#{finding.file}:#{finding.line}</div>
+                <div class="finding-code">#{finding.code_snippet}</div>
+                <div class="finding-remediation"><strong>Fix:</strong> #{finding.remediation}</div>
+              </div>
+            }
+          end
+
+          html += <<~HTML
+                </div>
+              </div>
+            </body>
+            </html>
+          HTML
+
+          html
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/reporters/json_reporter.rb

@@ -0,0 +1,29 @@
+require 'json'
+
+module Rails
+  module Guarddog
+    module Reporters
+      class JsonReporter
+        def initialize(findings)
+          @findings = findings
+        end
+
+        def report
+          output = {
+            timestamp: Time.now.iso8601,
+            total_findings: @findings.count,
+            severity_breakdown: severity_breakdown,
+            findings: @findings.map(&:to_h)
+          }
+          JSON.pretty_generate(output)
+        end
+
+        private
+
+        def severity_breakdown
+          @findings.group_by(&:severity).transform_values(&:count)
+        end
+      end
+    end
+  end
+end

data/lib/rails/guarddog/scanner.rb

@@ -0,0 +1,37 @@
+module Rails
+  module Guarddog
+    class Scanner
+      attr_accessor :configuration, :findings
+
+      def initialize(config = nil)
+        @configuration = config || Configuration.new
+        @findings = []
+      end
+
+      def run
+        checkers = load_checkers
+        checkers.each do |checker|
+          checker_instance = checker.new(@configuration.root)
+          checker_instance.run
+          @findings.concat(checker_instance.findings)
+        end
+        @findings.sort_by { |f| severity_order(f.severity) }
+      end
+
+      private
+
+      def load_checkers
+        checkers_dir = File.expand_path('../guarddog/checkers', __FILE__)
+        Dir.glob("#{checkers_dir}/*_checker.rb").map do |file|
+          require file
+          class_name = File.basename(file, '.rb').camelize
+          Checkers.const_get(class_name)
+        end.compact
+      end
+
+      def severity_order(severity)
+        { critical: 0, high: 1, medium: 2, low: 3 }[severity] || 4
+      end
+    end
+  end
+end

data/lib/rails/guarddog/version.rb

@@ -0,0 +1,5 @@
+module Rails
+  module Guarddog
+    VERSION = "0.1.0"
+  end
+end

data/lib/rails/guarddog.rb

@@ -0,0 +1,27 @@
+require 'rails'
+require_relative 'guarddog/version'
+require_relative 'guarddog/configuration'
+require_relative 'guarddog/finding'
+require_relative 'guarddog/scanner'
+require_relative 'guarddog/checkers/base_checker'
+require_relative 'guarddog/checkers/sql_injection_checker'
+require_relative 'guarddog/checkers/xss_checker'
+require_relative 'guarddog/checkers/csrf_checker'
+require_relative 'guarddog/checkers/mass_assignment_checker'
+require_relative 'guarddog/checkers/open_redirect_checker'
+require_relative 'guarddog/checkers/secrets_checker'
+require_relative 'guarddog/checkers/dos_checker'
+require_relative 'guarddog/checkers/idor_checker'
+require_relative 'guarddog/checkers/ai_injection_checker'
+require_relative 'guarddog/checkers/rate_limit_checker'
+require_relative 'guarddog/checkers/dependency_checker'
+require_relative 'guarddog/checkers/graphql_checker'
+require_relative 'guarddog/reporters/console_reporter'
+require_relative 'guarddog/reporters/json_reporter'
+require_relative 'guarddog/reporters/html_reporter'
+require_relative 'guarddog/railtie'
+
+module Rails
+  module Guarddog
+  end
+end

data/lib/rails-guarddog.rb

@@ -0,0 +1 @@
+require_relative 'rails/guarddog'

data/lib/tasks/guarddog.rake

@@ -0,0 +1,45 @@
+namespace :guarddog do
+  task :scan do
+    require 'rails/guarddog'
+    
+    scanner = Rails::Guarddog::Scanner.new
+    findings = scanner.run
+    
+    reporter = Rails::Guarddog::Reporters::ConsoleReporter.new(findings)
+    reporter.report
+  end
+
+  task :report do
+    require 'rails/guarddog'
+    
+    scanner = Rails::Guarddog::Scanner.new
+    findings = scanner.run
+    
+    html_reporter = Rails::Guarddog::Reporters::HtmlReporter.new(findings)
+    path = html_reporter.report("guarddog_report.html")
+    puts "✓ HTML report generated: #{path}"
+    
+    json_reporter = Rails::Guarddog::Reporters::JsonReporter.new(findings)
+    File.write("guarddog_report.json", json_reporter.report)
+    puts "✓ JSON report generated: guarddog_report.json"
+  end
+
+  task :ci do
+    require 'rails/guarddog'
+    
+    scanner = Rails::Guarddog::Scanner.new
+    findings = scanner.run
+    
+    critical = findings.select { |f| f.severity == :critical }
+    
+    puts Rails::Guarddog::Reporters::JsonReporter.new(findings).report
+    
+    if critical.any?
+      puts "\n❌ CRITICAL VULNERABILITIES FOUND: #{critical.count}"
+      exit 1
+    else
+      puts "\n✓ No critical vulnerabilities"
+      exit 0
+    end
+  end
+end

metadata

@@ -0,0 +1,114 @@
+--- !ruby/object:Gem::Specification
+name: rails-guarddog
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Security Team
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2026-06-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: parser
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: 'Rails GuardDog: Beyond brakeman — AI injection, DoS, supply chain, GraphQL
+  auth, and more'
+email:
+- security@example.com
+executables:
+- guarddog
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- bin/guarddog
+- lib/rails-guarddog.rb
+- lib/rails/guarddog.rb
+- lib/rails/guarddog/checkers/ai_injection_checker.rb
+- lib/rails/guarddog/checkers/base_checker.rb
+- lib/rails/guarddog/checkers/csrf_checker.rb
+- lib/rails/guarddog/checkers/dependency_checker.rb
+- lib/rails/guarddog/checkers/dos_checker.rb
+- lib/rails/guarddog/checkers/graphql_checker.rb
+- lib/rails/guarddog/checkers/idor_checker.rb
+- lib/rails/guarddog/checkers/mass_assignment_checker.rb
+- lib/rails/guarddog/checkers/open_redirect_checker.rb
+- lib/rails/guarddog/checkers/rate_limit_checker.rb
+- lib/rails/guarddog/checkers/secrets_checker.rb
+- lib/rails/guarddog/checkers/sql_injection_checker.rb
+- lib/rails/guarddog/checkers/xss_checker.rb
+- lib/rails/guarddog/configuration.rb
+- lib/rails/guarddog/finding.rb
+- lib/rails/guarddog/railtie.rb
+- lib/rails/guarddog/reporters/console_reporter.rb
+- lib/rails/guarddog/reporters/html_reporter.rb
+- lib/rails/guarddog/reporters/json_reporter.rb
+- lib/rails/guarddog/scanner.rb
+- lib/rails/guarddog/version.rb
+- lib/tasks/guarddog.rake
+homepage: https://github.com/example/rails-guarddog
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.22
+signing_key:
+specification_version: 4
+summary: Advanced security checker for Rails apps
+test_files: []