Links:
- GitHub: github.com/wilburhimself/gem_guard
- RubyGems: rubygems.org/gems/gem_guard
TL;DR
- ✅ Scan dependencies for known vulnerabilities (OSV.dev + Ruby Advisory DB)
- 🕵️ Detect typosquat packages before they bite
- 📜 Generate SPDX / CycloneDX SBOMs
- 🛠 Auto-fix vulnerable gems safely
- ⚡ Clean CLI + CI-ready
- Version: 1.1.x
Why GemGuard?
Because security shouldn’t be an afterthought. It should be:
- Pragmatic – only what matters, no noise
- Fast – instant feedback in dev or CI
- Integrated – works with your normal Ruby workflow
What is GemGuard?
GemGuard is a lightweight Ruby security tool that:
- Scans your
Gemfile.lock
for known vulnerabilities - Detects typosquat risks via fuzzy matching
- Generates SBOMs (SPDX and CycloneDX)
- Auto-fixes vulnerable gems with safe version upgrades
- Plays nicely with CI/CD
Installation
# Add to your Gemfile (recommended for projects)
gem "gem_guard", "~> 1.1"
# Or install globally
gem install gem_guard
Verify:
gem_guard version
# => 1.1.x
Quick Start
Scan your project:
gem_guard scan
# ✅ No vulnerabilities found!
# or exits non‑zero if issues are found
Detect typosquats:
gem_guard typosquat
# No potential typosquat dependencies found.
Generate an SBOM:
gem_guard sbom --format spdx --output sbom.spdx.json
gem_guard sbom --format cyclonedx --output bom.cdx.json
Auto‑Fix Vulnerabilities
Preview (dry run):
gem_guard fix --dry-run
Apply fixes (creates a Gemfile.lock backup by default):
gem_guard fix
# 📦 Created backup: Gemfile.lock.backup.2025...
# ✅ Updated nokogiri to 1.18.9
# 🔄 Running bundle install to update lockfile...
Options:
-
--interactive
: confirm each update -
--no-backup
: skip lockfile backup -
--gemfile
, --lockfile: custom paths
Tip: Re-scan after fixing
gem_guard scan
Clean CLI
gem_guard --help
# config, scan, typosquat, sbom, fix, version
Exit codes:
- 0: success / no vulns
- 1: vulnerabilities found
- 2: errors (e.g., missing files)
CI/CD Integration (GitHub Actions)
name: security-scan
on: [push, pull_request]
jobs:
gemguard:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ruby/setup-ruby@v1
with:
ruby-version: '3.3'
bundler-cache: true
- run: gem install gem_guard
- run: gem_guard scan --format json > gemguard-report.json
- run: gem_guard typosquat --format json > typosquat-report.json
- name: Upload reports
uses: actions/upload-artifact@v4
with:
name: gemguard-reports
path: |
gemguard-report.json
typosquat-report.json
Fail builds on vulnerabilities (default behavior). If you want non-blocking scans (e.g., on main), wrap with || true or use matrix strategies.
Configuration
Create .gemguard.yml:
lockfile: Gemfile.lock
output:
format: table # table | json
typosquat:
similarity_threshold: 0.82
risk_levels:
high: 0.9
medium: 0.85
View current config:
gem_guard config --show
Why GemGuard?
- Minimal setup, zero noise
- Pragmatic defaults, sensible exit codes
- Works offline for typosquat via fallback popular gems
- Well-tested (RSpec), standardrb formatting
- Designed for CI from day 1
How It Compares
- Bundler Audit: great for advisories; GemGuard adds typosquat + SBOM + auto-fix
- OSV-Scanner: broad ecosystem; GemGuard is Ruby-first with tighter UX and auto-fix
- Trivy/Grype: container focus; GemGuard slots into pure-Ruby pipelines easily
Use GemGuard standalone or alongside your existing stack.
Roadmap
- Enriched advisories (GHSA/CVE links, CVSS)
- Optional dependency graph visualizations
- Interactive TUI
- More fix strategies and guards
Contribute / Feedback
- Issues/PRs welcome: add tests, keep it minimal and intention-revealing
- Prefer failing test → minimal fix → refactor
- Security disclosures: see SECURITY.md
Try It Now
gem install gem_guard
gem_guard scan
gem_guard typosquat
gem_guard fix --dry-run
If this helps you ship safer Ruby apps with less fuss, drop a ❤️ and share!
— Built for Rubyists who like fast feedback, clean CLIs, and reliable automation.
Issues and PRs welcome → github.com/wilburhimself/gem_guard
Top comments (0)