Ruby is the 10th most popular language within the open source community. To help more open source maintainers and organizations find potential vulnerabilities in their code, we’ve added Ruby support (beta) to the CodeQL engine that powers GitHub code scanning.
Our CodeQL analysis identifies security issues in your code, along with the flow of data to the vulnerable location. To help secure services and tools created with Ruby, the CodeQL beta release spots many of the most common security issues:
We’ve been putting this beta through its paces by analyzing some of the world's largest Ruby codebases at GitHub and select customers. The feedback has been overwhelmingly positive, and in many cases CodeQL identified real vulnerabilities, all while keeping the number of false-positives at a minimum.
CodeQL for Ruby is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code starting today. It will also be included in GitHub Enterprise Server 3.4. Ruby joins the list of supported CodeQL languages, which also includes C/C++, C#, Java, JavaScript/TypeScript, Python, and Go.
We currently support all common Ruby versions, up to and including 3.02. Check out the documentation for more details on compatibility.
To start using the new Ruby analysis, simply update your existing workflow file by adding Ruby to the language matrix:
jobs:
analyze:
name: Analyze
...
strategy:
fail-fast: false
matrix:
# add here
language: ['ruby']
If you’re new to code scanning, set up a CodeQL analysis workflow from the Security tab in your repository.
Want to contribute or write your own CodeQL queries for Ruby? This guide will help you get started.
To give us feedback, join the Ruby beta discussion in the public CodeQL repository, which is also a good place to ask questions about anything CodeQL.
