mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-06-10 18:23:12 +08:00
f3f63dee4e
Two issues from the post-merge review of #1860: 1. **`brakeman --no-pager` is not a real flag.** Brakeman has no `--no-pager` option (that's `git` / `gh` style). It appeared in three locations: - `rules/ruby/hooks.md` L18 (bullet recommendation) - `rules/ruby/hooks.md` L32 (CI gate snippet) - `rules/ruby/security.md` L38 (dependency check snippet) Replaced with `--no-progress`, which is the closest valid option (suppresses the progress bar while keeping warning output — what hook contexts usually want). `-q` / `--no-color` would also be valid alternatives but `--no-progress` matches the original intent best. 2. **`bundle-audit` invocation was inconsistent across the two files.** `rules/ruby/security.md` L37 used the `bundle audit check --update` Bundler plugin subcommand form, while `rules/ruby/hooks.md` L20 used the direct `bundle exec bundle-audit check --update` binary form. Both invoke the same `bundler-audit` gem but look different enough to confuse readers. Standardized on the `bundle exec bundle-audit` form (the portable invocation that works across bundler-audit gem versions without depending on the plugin registering a `bundle audit` subcommand). Both issues were also flagged in PR #1860 review comments (#1, #2 of my comprehensive review; the bundle-audit one was independently caught by greptile-apps and coderabbitai bots). Full test suite (`node tests/run-all.js`): 2382 passed, 0 failed. `markdownlint-cli` clean on both files.
52 lines
1.9 KiB
Markdown
52 lines
1.9 KiB
Markdown
---
|
|
paths:
|
|
- "**/*.rb"
|
|
- "**/*.rake"
|
|
- "**/Gemfile"
|
|
- "**/Gemfile.lock"
|
|
- "**/config/routes.rb"
|
|
- "**/config/credentials*.yml.enc"
|
|
---
|
|
# Ruby Security
|
|
|
|
> This file extends [common/security.md](../common/security.md) with Ruby and Rails specific content.
|
|
|
|
## Rails Defaults
|
|
|
|
- Keep CSRF protection enabled for state-changing browser requests.
|
|
- Use strong parameters or typed boundary objects before mass assignment.
|
|
- Store secrets in Rails credentials, environment variables, or a secret manager. Never commit plaintext keys, tokens, private credentials, or copied `.env` values.
|
|
|
|
## SQL And Active Record
|
|
|
|
- Prefer Active Record query APIs and parameterized SQL.
|
|
- Never interpolate request, cookie, header, job, or webhook values into SQL strings.
|
|
- Scope model callbacks carefully; security-sensitive side effects should be explicit and covered by tests.
|
|
|
|
## Authentication And Sessions
|
|
|
|
- Use the Rails 8 authentication generator for simple session auth, or Devise when OAuth, MFA, confirmable, lockable, multi-model auth, or existing Devise conventions are required.
|
|
- Rotate sessions after sign-in and privilege changes.
|
|
- Protect account recovery flows with expiry, single-use tokens, rate limiting, and audit logging.
|
|
|
|
## Dependencies
|
|
|
|
- Run dependency checks when the lockfile changes:
|
|
|
|
```bash
|
|
bundle exec bundle-audit check --update
|
|
bundle exec brakeman --no-progress
|
|
```
|
|
|
|
- Review new gems for maintainer activity, native extension risk, transitive dependencies, and whether the same behavior can be implemented with Rails core.
|
|
|
|
## Web Safety
|
|
|
|
- Escape template output by default. Treat `html_safe`, `raw`, and custom sanitizers as security-sensitive code.
|
|
- Validate file uploads by content type, extension, size, and storage destination.
|
|
- Treat background jobs, webhooks, Action Cable messages, and Turbo Stream inputs as untrusted boundaries.
|
|
|
|
## Reference
|
|
|
|
See skill: `security-review` for secure-by-default review patterns.
|