Hakiri Blog

[...] on code warnings can now be performed on CVE warnings as well. Namely, marking issues as a false positives and having reference links in various app integrations. False Positives Marking warnings as [...]

[...] and recommendations on how to eliminate it. Sometimes static code analysis results in false positives, as it relies on assumptions that may not apply to your code. In this case it’s always [...]

[...] library inside your project. One major downside of Brakeman is that it can generate a lot of false positives but it’s mostly due to the nature of static code analysis rather than the library itself. [...]

[...] and unfollow branches, delete builds, add new stack technologies, and mark warnings as false positives. To invite a team member go to your project settings and fill out their GitHub username [...]

[...] . Brakeman Brakeman Scanner is the staple of every Rails security audit that includes static code analysis. This library evolved a lot in the past four years and now supports many different [...]

[...] tests against your code (only for Rails apps and engines) and gems. The former performs a static code analysis of your views, controllers, and models trying to find potential security issues. The [...]

[...] and warnings that essentially represented two different things: CVE vulnerabilities and static code analysis warnings. The problem is that warnings and issues are two fundamentally different concepts, [...]

[...] of all, how can we determine if a vulnerability is severe or critical? All confirmed CVE vulnerabilities have a security score that is assigned based on CVSS Guidelines. The maximum score is [...]

[...] concepts of issues and warnings that essentially represented two different things: CVE vulnerabilities and static code analysis warnings. The problem is that warnings and issues are two [...]

[...] . It supports Rails, Sinatra, and Padrino frameworks. It has its own knowledge base with CVE vulnerabilities for gems as well as a static analyzer for code. Codesake::Dawn is not as actively developed [...]

[...] significant ones are full Ruby support (not just Rails repositories) and free service for open source projects. Potentially, the latter one is huge and I think we just scratched the surface of what it [...]

[...] interval parsing from gemfile and gemspec files as well as the security leaderboard for open source projects on GitHub. Version Intervals Version intervals allow Ruby developers to have simple [...]

[...] . Tighter GitHub Integration Pull requests is the fundamental way of contributing to open source projects on GitHub. I’d like to add commit status support that will notify project owners [...]

[...] Surprise, new Rails vulnerabilities! It’s that time of the year again! A handful of Rails vulnerabilities was just [...]

[...] relevant for any developer. It was written in January 31, 2013 after several devastating Rails vulnerabilities went public. Patrick explains why security is so important in every single project by [...]

[...] ’s free for public and private projects. Gemnasium Gemnasium keeps tabs on gem versions in your Ruby projects and notifies you when the new ones are released. It also sends alerts about new security [...]

[...] . Hakiri notifies developers about it. This new functionality allows us to cover all Ruby projects in terms of CVE security notifications. Once we realized it, an idea for Hakiri Security [...]

[...] issues, but it’s only a database. You can’t make it notify you whenever a new vulnerability for your particular version comes out. I made Hakiri to help developers and dev ops [...]

[...] critical vulnerability B, hence its security is compromised” or “project C has a new vulnerability that was disclosed yesterday, so it’s screwed.” Engineers can patch [...]

[...] and private projects against CVE and OSVDB vulnerabilities from Ruby Security Database. If a new vulnerability is detected in one of your gems Gemcanary sends you a notification email. It’s free for [...]

Two days ago we launched an experiment called Facets. It’s a free Gemfile.lock scanning tool that reveals CVE vulnerabilities in gems. It uses H [...]

[...] A few weeks ago we released a security scanner for Gemfile.lock files called Hakiri Facets. It got some traction because the Ruby subreddit and Ruby Weekly picked it up. In two weeks [...]

[...] alerts about new security advisories via email. Gemnasium is free for public projects. Hakiri Hakiri focuses on web security for public and private Ruby projects. It monitors Ruby gems, [...]