zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-06-10 10:13:49 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
f3f63dee4ef9645a833ebcf22f1968e6b17bcf3a
everything-claude-code/rules/ruby/security.md
zomia f3f63dee4e fix(rules/ruby): correct brakeman flag and unify bundle-audit invocation 
Two issues from the post-merge review of #1860:

1. **`brakeman --no-pager` is not a real flag.** Brakeman has no
   `--no-pager` option (that's `git` / `gh` style). It appeared in
   three locations:
   - `rules/ruby/hooks.md` L18 (bullet recommendation)
   - `rules/ruby/hooks.md` L32 (CI gate snippet)
   - `rules/ruby/security.md` L38 (dependency check snippet)

   Replaced with `--no-progress`, which is the closest valid option
   (suppresses the progress bar while keeping warning output —
   what hook contexts usually want). `-q` / `--no-color` would also
   be valid alternatives but `--no-progress` matches the original
   intent best.

2. **`bundle-audit` invocation was inconsistent across the two
   files.** `rules/ruby/security.md` L37 used the
   `bundle audit check --update` Bundler plugin subcommand form,
   while `rules/ruby/hooks.md` L20 used the direct
   `bundle exec bundle-audit check --update` binary form.

   Both invoke the same `bundler-audit` gem but look different
   enough to confuse readers. Standardized on the
   `bundle exec bundle-audit` form (the portable invocation that
   works across bundler-audit gem versions without depending on the
   plugin registering a `bundle audit` subcommand).

Both issues were also flagged in PR #1860 review comments (#1, #2 of
my comprehensive review; the bundle-audit one was independently
caught by greptile-apps and coderabbitai bots).

Full test suite (`node tests/run-all.js`): 2382 passed, 0 failed.
`markdownlint-cli` clean on both files.
2026-05-14 09:27:59 +09:00

1.9 KiB
Raw Blame History

paths
paths
**/*.rb
**/*.rake
**/Gemfile
**/Gemfile.lock
**/config/routes.rb
**/config/credentials*.yml.enc

Ruby Security

This file extends common/security.md with Ruby and Rails specific content.

Rails Defaults

  • Keep CSRF protection enabled for state-changing browser requests.
  • Use strong parameters or typed boundary objects before mass assignment.
  • Store secrets in Rails credentials, environment variables, or a secret manager. Never commit plaintext keys, tokens, private credentials, or copied .env values.

SQL And Active Record

  • Prefer Active Record query APIs and parameterized SQL.
  • Never interpolate request, cookie, header, job, or webhook values into SQL strings.
  • Scope model callbacks carefully; security-sensitive side effects should be explicit and covered by tests.

Authentication And Sessions

  • Use the Rails 8 authentication generator for simple session auth, or Devise when OAuth, MFA, confirmable, lockable, multi-model auth, or existing Devise conventions are required.
  • Rotate sessions after sign-in and privilege changes.
  • Protect account recovery flows with expiry, single-use tokens, rate limiting, and audit logging.

Dependencies

  • Run dependency checks when the lockfile changes:
bundle exec bundle-audit check --update
bundle exec brakeman --no-progress
  • Review new gems for maintainer activity, native extension risk, transitive dependencies, and whether the same behavior can be implemented with Rails core.

Web Safety

  • Escape template output by default. Treat html_safe, raw, and custom sanitizers as security-sensitive code.
  • Validate file uploads by content type, extension, size, and storage destination.
  • Treat background jobs, webhooks, Action Cable messages, and Turbo Stream inputs as untrusted boundaries.

Reference

See skill: security-review for secure-by-default review patterns.

Reference in New Issue View Git Blame Copy Permalink