Skip to content

Add exclude option to skip gems by name during audit#419

Open
mlarraz wants to merge 2 commits into
rubysec:masterfrom
mlarraz:add-exclude-option
Open

Add exclude option to skip gems by name during audit#419
mlarraz wants to merge 2 commits into
rubysec:masterfrom
mlarraz:add-exclude-option

Conversation

@mlarraz

@mlarraz mlarraz commented Apr 2, 2026

Copy link
Copy Markdown

Description

Adds an exclude configuration option (and --exclude / -e CLI flag) that skips entire gems by name during scanning, so they never hit the advisory database at all.

This is semantically different from ignore (which skips specific advisory IDs after lookup): exclude is a scoping decision — "this gem isn't part of my application" — while ignore is a risk acceptance — "I know about this CVE and accept it."

Useful for Rails apps that bundle gems they don't actually use (e.g. activestorage, actiontext, actionmailbox) where every new CVE triggers a false audit failure. Currently the only workaround is adding each CVE ID to the ignore list, which is tedious and never-ending.

Usage

Config file (.bundler-audit.yml):

---
ignore:
  - CVE-2024-1234
exclude:
  - activestorage
  - actiontext

CLI:

bundle-audit check --exclude activestorage actiontext

Changes

  • Configuration: new attr_reader :exclude (returns Set<String>), YAML validation mirroring ignore
  • Scanner#scan_specs: resolves exclude from options or config, skips gem before advisory lookup via next if exclude.include?(gem.name)
  • CLI#check: new --exclude / -e array option, passed through to scanner.report
  • Tests: validation specs, initializer specs, scanner specs (option-based and config-file-based), new fixtures

Test plan

  • New configuration validation tests (not an array, contains non-string)
  • New #initialize tests (default empty Set, given :exclude list)
  • Scanner test: :exclude option filters gems from results
  • Scanner test: exclude from .bundler-audit.yml config file works
  • All existing tests continue to pass

@jasnow jasnow added approved Ready to Merge Approved by someone, so Ready to Merge and removed ready approved labels May 27, 2026
@flavorjones

flavorjones commented Jun 16, 2026

Copy link
Copy Markdown
Member

Rebased onto current master to pull in CI matrix changes.

flavorjones
flavorjones requested changes Jun 16, 2026
View reviewed changes

@flavorjones flavorjones left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems reasonable given Rails allows applications to opt out of using gems via options like --skip-active-storage but those gems are still hard dependencies in Gemfile.lock.

I'm open to merging this. But please take a look at the failing test, seems like there's a missing Gemfile.lock in one of the test fixtures.

mlarraz and others added 2 commits June 16, 2026 10:10
@mlarraz @claude
Add exclude option to skip gems by name during audit
9c3398e 
Allow users to exclude entire gems from scanning via config file
(`exclude:` key in .bundler-audit.yml) or CLI (`--exclude`/`-e` flag).

Unlike `ignore` which skips specific advisory IDs after lookup,
`exclude` skips gems entirely before any advisory database check.
This is useful for Rails apps that bundle gems they don't actually
use (e.g. activestorage, actiontext) where every new CVE triggers
a false audit failure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@mlarraz @claude
Add missing Gemfile.lock for exclude fixture
ab5b9b8 
The new spec/bundle/unpatched_gems_with_exclude_configuration fixture
was missing its Gemfile.lock, causing the scanner spec to raise
Bundler::GemfileLockNotFound in CI across all Ruby versions.

The lockfile is matched by .gitignore (Gemfile.lock is ignored
globally), which is why a plain `git add` silently skipped it.
Force-added to match the pattern used for every other fixture
under spec/bundle/.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@mlarraz mlarraz force-pushed the add-exclude-option branch from 4a34598 to ab5b9b8 Compare June 16, 2026 14:15
@mlarraz mlarraz requested a review from flavorjones June 16, 2026 14:16
@mlarraz

mlarraz commented Jun 16, 2026

Copy link
Copy Markdown
Author

This seems reasonable given Rails allows applications to opt out of using gems via options like --skip-active-storage but those gems are still hard dependencies in Gemfile.lock.

I'm open to merging this. But please take a look at the failing test, seems like there's a missing Gemfile.lock in one of the test fixtures.

Thanks, looks like it needed a git add -f. Lockfiles are in .gitignore but needed for CI to pass.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flavorjones flavorjones Awaiting requested review from flavorjones

1 more reviewer

@jonswar jonswar jonswar approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Ready to Merge Approved by someone, so Ready to Merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mlarraz @flavorjones @jonswar @jasnow