Ruby is the 10th most popular language within the open source community. To help more open source maintainers and organizations find potential vulnerabilities in their code, we’ve added Ruby support (beta) to the CodeQL engine that powers GitHub code scanning.
Our CodeQL analysis identifies security issues in your code, along with the flow of data to the vulnerable location. To help secure services and tools created with Ruby, the CodeQL beta release spots many of the most common security issues:
- SQL injection (CWE-089)
- ReDoS (regular expression denial-of-service, CWE-1333)
- OS command and argument injection (A1:2017-Injection, CWE-078, CWE-088)
- XML entity expansion (CWE-611, CWE-827)
- Reflected cross-site scripting (XSS) (A7:2017-Cross-Site Scripting, CWE-079)
- Stored XSS (CWE-079, CWE-116)
- Unsafe deserialization (CWE-502)
- Hard-coded credentials (CWE-798)
We’ve been putting this beta through its paces by analyzing some of the world's largest Ruby codebases at GitHub and select customers. The feedback has been overwhelmingly positive, and in many cases CodeQL identified real vulnerabilities, all while keeping the number of false-positives at a minimum.
We currently support all common Ruby versions, up to and including 3.02. Check out the documentation for more details on compatibility.
To start using the new Ruby analysis, simply update your existing workflow file by adding Ruby to the language matrix:
jobs: analyze: name: Analyze ... strategy: fail-fast: false matrix: # add here language: ['ruby']
If you’re new to code scanning, set up a CodeQL analysis workflow from the Security tab in your repository.
Want to contribute or write your own CodeQL queries for Ruby? This guide will help you get started.
To give us feedback, join the Ruby beta discussion in the public CodeQL repository, which is also a good place to ask questions about anything CodeQL.