Add bundler-audit Gem, temporarily disable brakeman warnings in local CI

ChargrilledChook · ChargrilledChook · commit 94a287fa34c1 · 2025-11-08T17:28:43.000+11:00
diff --git a/Gemfile b/Gemfile
@@ -72,6 +72,7 @@ end
 
 group :development, :test do
   gem 'brakeman', require: false
+  gem 'bundler-audit', require: false
   gem 'dotenv-rails', '~> 3.1'
   gem 'parallel_tests', '~> 5.4'
   gem 'rspec-rails', '~> 7.0'
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -100,6 +100,9 @@ GEM
     brakeman (7.1.1)
       racc
     builder (3.3.0)
+    bundler-audit (0.9.2)
+      bundler (>= 1.2.0, < 3)
+      thor (~> 1.0)
     capybara (3.40.0)
       addressable
       matrix
@@ -622,6 +625,7 @@ DEPENDENCIES
   barnes (~> 0.0)
   bootsnap (~> 1.18)
   brakeman
+  bundler-audit
   capybara (~> 3.40)
   capybara-email (~> 3.0)
   class_variants (~> 1.1)
diff --git a/bin/bundler-audit b/bin/bundler-audit
@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+require_relative '../config/boot'
+require 'bundler/audit/cli'
+
+ARGV.concat %w[--config config/bundler-audit.yml] if ARGV.empty? || ARGV.include?('check')
+Bundler::Audit::CLI.start
diff --git a/config/ci.rb b/config/ci.rb
@@ -8,7 +8,9 @@
   step 'Style: JS', 'yarn lint'
   step 'Style: CSS', 'yarn run stylelint'
 
-  step 'Security: Brakeman code analysis', 'bin/brakeman --quiet --no-pager --exit-on-warn --exit-on-error'
+  step 'Security: Gem audit', 'bin/bundler-audit'
+  # TODO: Swap to --exit-on-warn --exit-on-error once issues are resolved
+  step 'Security: Brakeman code analysis', 'bin/brakeman --quiet --no-pager --no-exit-on-warn --no-exit-on-error'
 
   step 'Tests: Rails', 'bin/rspec --tag ~type:system'
   step 'Tests: System', 'bin/rails spec:system'
