Snyk supports testing and fixing Ruby projects that have their dependencies managed by Bundler. For GitHub support you need to have your Gemfile and Gemfile.lock checked into the root of your repository. Our CLI tool also supports Ruby, and you can test and monitor your apps continuously with our CI integration. Support for gem libraries is in the pipeline.
If your Gemfile needs access to private Gem sources please get in touch.
Testing Ruby projects
We scan Ruby projects by examining your Gemfile.lock to compare the specific versions of every direct and deep dependency in your project against our Ruby vulnerability database.
We are testing all Bundler groups, and currently you can’t choose to exclude certain groups (such as test or development groups).
Fixing Ruby projects
Currently we only support fixing Ruby projects through our GitHub integration. We fix by updating vulnerable gems, using bundle update, after modifying your Gemfile (sticking to the rules you have specified there as far as possible). This means that in some scenarios we won’t be able to upgrade all dependencies to non-vulnerable versions. In this case, you should consider updating the rules in your Gemfile. In future releases, we are planning to provide suggestions to make this easier.