Rubion is a security and version scanner for Ruby and JavaScript projects. It helps you identify vulnerabilities and outdated dependencies in your Ruby gems and NPM/JavaScript packages.
- π Gem Vulnerabilities: Scans for known security vulnerabilities in Ruby gems using
bundle-audit - π¦ Gem Versions: Identifies outdated Ruby gems with release dates and version counts
- π Package Vulnerabilities: Scans for known security vulnerabilities in NPM/JavaScript packages using
npm auditoryarn audit - π¦ Package Versions: Identifies outdated NPM/JavaScript packages with release dates and version counts
- π― Direct Dependencies: Highlights direct dependencies (from
Gemfile/package.json) in bold text - π Filtering: Option to show only direct dependencies with
--exclude-dependenciesflag - π‘οΈ Vulnerabilities Only Mode: Option to show only vulnerability tables (and skip version/outdated checks) with
--vulnerabilities-only - π Sorting: Sort results by any column (Name, Current, Date, Latest, Behind By(Time), Behind By(Versions))
- π Beautiful Reports: Organized table output with severity icons (π΄ Critical, π High, π‘ Medium, π’ Low, βͺ Unknown)
- π Fast & Efficient: Parallel API processing (10 concurrent threads) for quick results
- β‘ Incremental Output: Shows gem results immediately, then scans packages
- π Release Dates: Fetches actual release dates from RubyGems.org and NPM registry
- π’ Version Analysis: Shows how many versions behind and time difference
- π¦ Multi-Package Manager: Supports both npm and yarn with automatic detection
gem install rubiongit clone https://github.com/bipashant/rubion.git
cd rubion
bundle install
rake install_localNavigate to your project directory and run:
rubion scanThis will scan your project for:
- Ruby gem vulnerabilities (if
Gemfile.lockexists) - Outdated Ruby gems with release dates
- NPM/JavaScript package vulnerabilities (if
package.jsonexists) - Outdated NPM/JavaScript packages with release dates
# Scan only Ruby gems (skip NPM packages)
rubion scan --gems-only
# or
rubion scan -g
# Scan only NPM packages (skip Ruby gems)
rubion scan --packages-only
# or
rubion scan -p
# Scan both (default)
rubion scan# Sort by column name (default: "Behind By(Time)" in descending order)
rubion scan --sort-by Name
rubion scan --sort-by Current
rubion scan --sort-by "Current version released on"
rubion scan --sort-by Latest
rubion scan --sort-by "Latest version released on"
rubion scan --sort-by "Behind By(Time)"
rubion scan --sort-by "Behind By(Versions)"
# Short form
rubion scan -s Name
# Sort in ascending order
rubion scan --sort-by Name --asc
rubion scan --sort-by Name --ascending
# Sort in descending order (default)
rubion scan --sort-by Name --desc
rubion scan --sort-by Name --descendingAvailable columns for sorting:
Name- Package/gem nameCurrent- Current versionCurrent version released onorDate- Release date of current versionLatest- Latest versionLatest version released onorDate- Release date of latest versionBehind By(Time)- Time difference (default sort, descending)Behind By(Versions)- Number of versions behind
# Show only direct dependencies (from Gemfile/package.json)
rubion scan --exclude-dependenciesDirect dependencies are automatically highlighted in bold text in the output.
# Show only vulnerability tables (no version/outdated sections)
rubion scan --vulnerabilities-only
# Combine with other filters
rubion scan --gems-only --vulnerabilities-only
rubion scan --packages-only --vulnerabilities-onlyrubion help
# or
rubion -hrubion version
# or
rubion -vπ Scanning project at: /path/to/project
π¦ Checking Ruby gems... 139/139 β
Gem Vulnerabilities:
+--------------+----------+---------+---------------------------------------------+
| Level | Name | Version | Vulnerability |
+--------------+----------+---------+---------------------------------------------+
| π΄ Critical | rexml | 3.4.1 | REXML has DoS condition when parsing... |
| π High | rack | 2.0.8 | Denial of Service vulnerability |
| π‘ Medium | nokogiri | 1.13.8 | XML parsing vulnerability |
| π’ Low | json | 2.6.1 | JSON parsing issue |
+--------------+----------+---------+---------------------------------------------+
Gem Versions:
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
| Name | Current | Current Released On | Latest | Latest Released On | Behind By(Time) | Behind By(Versions) |
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
| sidekiq | 7.30 | 3/5/2024 | 8.1 | 11/11/2025 | 1 year | 15 |
| rails | 7.0.0 | 12/15/2022 | 7.1.0 | 10/4/2024 | 1 year 10 months | 8 |
| fastimage | 2.2.7 | 2/2/2025 | 2.3.2 | 9/9/2025 | 7 months | 3 |
| nokogiri | 1.13.8 | 5/10/2023 | 1.15.0 | 8/20/2024 | 1 year 3 months | 12 |
| redis | 4.8.0 | 1/15/2023 | 5.0.0 | 11/1/2024 | 1 year 9 months | 20 |
| pg | 1.4.0 | 3/20/2023 | 1.5.0 | 9/15/2024 | 1 year 5 months | 6 |
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
π¦ Checking NPM packages... 45/45 β
Package Vulnerabilities:
+--------------+---------+---------+-----------------------------------------------+
| Level | Name | Version | Vulnerability |
+--------------+---------+---------+-----------------------------------------------+
| π΄ Critical | lodash | 4.17.20 | Prototype pollution vulnerability |
| π High | moment | 2.29.1 | Wrong timezone date calculation |
| π‘ Medium | axios | 0.21.1 | Server-Side Request Forgery (SSRF) |
| π’ Low | debug | 4.3.1 | Regular Expression Denial of Service |
+--------------+---------+---------+-----------------------------------------------+
Package Versions:
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
| Name | Current | Current Released On | Latest | Latest Released On | Behind By(Time) | Behind By(Versions) |
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
| react | 17.0.2 | 3/3/2021 | 18.2.0 | 6/14/2023 | 2 years 3 months | 45 |
| vue | 3.2.0 | 8/5/2021 | 3.3.0 | 5/18/2023 | 1 year 9 months | 8 |
| jquery | 3.7.1 | 4/5/2024 | 3.9.1 | 10/11/2025 | 1 year | 8 |
| express | 4.18.0 | 4/25/2022 | 4.18.2 | 8/15/2023 | 1 year 3 months | 2 |
| webpack | 5.70.0 | 3/1/2022 | 5.88.0 | 6/1/2023 | 1 year 3 months | 18 |
| typescript | 4.7.0 | 5/24/2022 | 5.1.0 | 5/25/2023 | 1 year | 12 |
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
When using rubion scan --exclude-dependencies, only direct dependencies are shown:
Gem Versions:
+----------+---------+--------------------------+---------+--------------------------+------------------+-------------------+
| Name | Current | Current version released on | Latest | Latest version released on | Behind By(Time) β | Behind By(Versions) |
+----------+---------+--------------------------+---------+--------------------------+------------------+-------------------+
| **rails**| 7.0.0 | 12/15/2022 | 7.1.0 | 10/4/2024 | 1 year 10 months | 8 |
| **sidekiq**| 7.30 | 3/5/2024 | 8.1 | 11/11/2025 | 1 year | 15 |
| **pg** | 1.4.0 | 3/20/2023 | 1.5.0 | 9/15/2024 | 1 year 5 months | 6 |
+----------+---------+--------------------------+---------+--------------------------+------------------+-------------------+
Note: Direct dependencies (from Gemfile or package.json) are displayed in bold text in the version tables. In the example above, rails, sidekiq, and pg are direct dependencies from the Gemfile.
- Ruby 2.6 or higher
- Bundler (for Ruby gem scanning)
- NPM or Yarn (optional, for JavaScript package scanning)
bundler-audit(optional, for enhanced gem vulnerability detection)
Note: If both npm and yarn are available, Rubion will prompt you to choose which one to use. You can respond with 'y' for yarn or 'n' for npm.
gem install bundler-auditNote: Without bundler-audit, gem vulnerability scanning will be skipped.
Rubion uses a modular architecture:
-
Scanner (
lib/rubion/scanner.rb): Executes various commands to scan for vulnerabilities and outdated versionsbundle-audit checkfor gem vulnerabilitiesbundle outdated --parseablefor gem versionsnpm audit --jsonoryarn audit --jsonfor package vulnerabilities (auto-detects which is available)npm outdated --jsonoryarn outdatedfor package versions (auto-detects which is available)- Fetches release dates and version data from RubyGems.org and NPM registry APIs
- Uses parallel processing (10 concurrent threads) for fast API calls
- Prompts user to choose between npm and yarn if both are available
- Parses
Gemfileandpackage.jsonto identify direct dependencies
-
Reporter (
lib/rubion/reporter.rb): Formats scan results into beautiful terminal tables usingterminal-table- Adds severity icons (π΄ π π‘ π’ βͺ)
- Formats dates, time differences, and version counts
- Supports incremental output (gems first, then packages)
- Highlights direct dependencies in bold text
- Supports sorting by any column with visual indicators (β/β)
- Filters results based on
--exclude-dependenciesflag
-
CLI (
lib/rubion.rb): Provides the command-line interface- Parses command-line options (
--gems-only,--packages-only,--sort-by,--asc,--desc,--exclude-dependencies) - Coordinates scanning and reporting
- Parses command-line options (
For detailed information about data collection and mapping, see HOW_IT_WORKS.md.
Rubion is optimized for speed:
- Parallel API Processing: Uses 10 concurrent threads to fetch version data from RubyGems.org and NPM registry
- Single API Call Per Package: Fetches all necessary data (dates, version list) in one request
- Incremental Output: Shows gem results immediately, then scans packages (better UX)
- Progress Indicators: Shows real-time progress like "Checking Ruby gems... 10/54"
Typical scan times:
- Gems only: ~4-5 seconds (for ~140 gems)
- Packages only: ~3-4 seconds (for ~50 packages)
- Both: ~7-9 seconds total
After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt.
rake specrake rubocopgem build rubion.gemspecrake install_localRubion is designed to be easily extensible. To add new scanners:
- Add a new method in
lib/rubion/scanner.rb - Add a corresponding report method in
lib/rubion/reporter.rb - Update the scan flow in
Scanner#scan
Example:
# In scanner.rb
def scan_python_packages
# Your scanning logic here
@result.python_vulnerabilities = check_pip_vulnerabilities
end
# In reporter.rb
def print_python_vulnerabilities
# Your reporting logic here
endBug reports and pull requests are welcome on GitHub at https://github.com/bipashant/rubion.
- Fork it
- Create your feature branch (
git checkout -b feature/my-new-feature) - Commit your changes (
git commit -am 'Add some feature') - Push to the branch (
git push origin feature/my-new-feature) - Create new Pull Request
The gem is available as open source under the terms of the MIT License.
If you have any questions or need help, please:
- Open an issue on GitHub: https://github.com/bipashant/rubion/issues
- Check the documentation
- Review the CHANGELOG.md for recent changes
Future features planned:
- Export formats (JSON, CSV, HTML)
- Summary statistics
- Update command suggestions
- CI/CD integration flags
- Configurable severity thresholds
- Auto-fix suggestions
- Historical tracking of vulnerabilities
- Built with terminal-table
- Inspired by tools like
bundle-auditandnpm audit