rubysec
Support matching rubygems version to tag in GitHub or warn
We run bundle-audit as part of our pre-deployment checks, and love it. It's saved our bacon a few times.
The malicious code inserted recently in the bootstrap-sass gem on rubygems concerns me greatly. It's something that might not have been caught by our process, had we been exposed to it. Even bundle-audit would have had the information too late for a lot of poor souls.
Because the exploit was pushed to rubygems but not to GitHub, it seems that there is a way bundler-audit could be modified to flag such circumstances as worthy of scrutiny. For each gem/version in the Ruby app's Gemfile.lock if there is not a corresponding tag in the gem's repository, a warning could be output by bundle-audit.
GitHub and Rubygems are the main code repository host and gem repository. So those could be the defaults. But adding metadata for these datapoints would allow gems in the bundler-audit DB to record alternatives so that this protection could be extended to gems not using the de facto standard services.
A feature like this would add even more value to this invaluable gem.
Thoughts?
