DEV Community

Wilbur Suero
Wilbur Suero

Posted on

🚨 Introducing GemGuard: Automated Security for Ruby Gems (Scan, SBOM, Typosquat, Auto-Fix)

Links:


TL;DR

  • ✅ Scan dependencies for known vulnerabilities (OSV.dev + Ruby Advisory DB)
  • 🕵️ Detect typosquat packages before they bite
  • 📜 Generate SPDX / CycloneDX SBOMs
  • 🛠 Auto-fix vulnerable gems safely
  • ⚡ Clean CLI + CI-ready
  • Version: 1.1.x

Why GemGuard?

Because security shouldn’t be an afterthought. It should be:

  • Pragmatic – only what matters, no noise
  • Fast – instant feedback in dev or CI
  • Integrated – works with your normal Ruby workflow

What is GemGuard?

GemGuard is a lightweight Ruby security tool that:

  • Scans your Gemfile.lock for known vulnerabilities
  • Detects typosquat risks via fuzzy matching
  • Generates SBOMs (SPDX and CycloneDX)
  • Auto-fixes vulnerable gems with safe version upgrades
  • Plays nicely with CI/CD

Installation

# Add to your Gemfile (recommended for projects)
gem "gem_guard", "~> 1.1"

# Or install globally
gem install gem_guard
Enter fullscreen mode Exit fullscreen mode

Verify:

gem_guard version
# => 1.1.x
Enter fullscreen mode Exit fullscreen mode

Quick Start

Scan your project:

gem_guard scan
# ✅ No vulnerabilities found!
# or exits non‑zero if issues are found
Enter fullscreen mode Exit fullscreen mode

Detect typosquats:

gem_guard typosquat
# No potential typosquat dependencies found.
Enter fullscreen mode Exit fullscreen mode

Generate an SBOM:

gem_guard sbom --format spdx --output sbom.spdx.json
gem_guard sbom --format cyclonedx --output bom.cdx.json
Enter fullscreen mode Exit fullscreen mode

Auto‑Fix Vulnerabilities

Preview (dry run):

gem_guard fix --dry-run
Enter fullscreen mode Exit fullscreen mode

Apply fixes (creates a Gemfile.lock backup by default):

gem_guard fix
# 📦 Created backup: Gemfile.lock.backup.2025...
# ✅ Updated nokogiri to 1.18.9
# 🔄 Running bundle install to update lockfile...
Enter fullscreen mode Exit fullscreen mode

Options:

  • --interactive: confirm each update
  • --no-backup: skip lockfile backup
  • --gemfile, --lockfile: custom paths

Tip: Re-scan after fixing

gem_guard scan
Enter fullscreen mode Exit fullscreen mode

Clean CLI

gem_guard --help
# config, scan, typosquat, sbom, fix, version
Enter fullscreen mode Exit fullscreen mode

Exit codes:

  • 0: success / no vulns
  • 1: vulnerabilities found
  • 2: errors (e.g., missing files)

CI/CD Integration (GitHub Actions)

name: security-scan
on: [push, pull_request]
jobs:
  gemguard:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: ruby/setup-ruby@v1
        with:
          ruby-version: '3.3'
          bundler-cache: true
      - run: gem install gem_guard
      - run: gem_guard scan --format json > gemguard-report.json
      - run: gem_guard typosquat --format json > typosquat-report.json
      - name: Upload reports
        uses: actions/upload-artifact@v4
        with:
          name: gemguard-reports
          path: |
            gemguard-report.json
            typosquat-report.json
Enter fullscreen mode Exit fullscreen mode

Fail builds on vulnerabilities (default behavior). If you want non-blocking scans (e.g., on main), wrap with || true or use matrix strategies.

Configuration

Create .gemguard.yml:

lockfile: Gemfile.lock
output:
  format: table   # table | json
typosquat:
  similarity_threshold: 0.82
  risk_levels:
    high: 0.9
    medium: 0.85
Enter fullscreen mode Exit fullscreen mode

View current config:

gem_guard config --show
Enter fullscreen mode Exit fullscreen mode

Why GemGuard?

  • Minimal setup, zero noise
  • Pragmatic defaults, sensible exit codes
  • Works offline for typosquat via fallback popular gems
  • Well-tested (RSpec), standardrb formatting
  • Designed for CI from day 1

How It Compares

  • Bundler Audit: great for advisories; GemGuard adds typosquat + SBOM + auto-fix
  • OSV-Scanner: broad ecosystem; GemGuard is Ruby-first with tighter UX and auto-fix
  • Trivy/Grype: container focus; GemGuard slots into pure-Ruby pipelines easily

Use GemGuard standalone or alongside your existing stack.

Roadmap

  • Enriched advisories (GHSA/CVE links, CVSS)
  • Optional dependency graph visualizations
  • Interactive TUI
  • More fix strategies and guards

Contribute / Feedback

  • Issues/PRs welcome: add tests, keep it minimal and intention-revealing
  • Prefer failing test → minimal fix → refactor
  • Security disclosures: see SECURITY.md

Try It Now

gem install gem_guard
gem_guard scan
gem_guard typosquat
gem_guard fix --dry-run
Enter fullscreen mode Exit fullscreen mode

If this helps you ship safer Ruby apps with less fuss, drop a ❤️ and share!

— Built for Rubyists who like fast feedback, clean CLIs, and reliable automation.

Issues and PRs welcome → github.com/wilburhimself/gem_guard

Top comments (0)