Rubion
Rubion is a security and version scanner for Ruby and JavaScript projects. It helps you identify vulnerabilities and outdated dependencies in your Ruby gems and NPM/JavaScript packages.
Features
- 📛 Gem Vulnerabilities: Scans for known security vulnerabilities in Ruby gems using
bundle-audit - 📦 Gem Versions: Identifies outdated Ruby gems with release dates and version counts
- 📛 Package Vulnerabilities: Scans for known security vulnerabilities in NPM/JavaScript packages using
npm auditoryarn audit - 📦 Package Versions: Identifies outdated NPM/JavaScript packages with release dates and version counts
- 🎯 Direct Dependencies: Highlights direct dependencies (from
Gemfile/package.json) in bold text - 🔍 Filtering: Option to show only direct dependencies with
--exclude-dependenciesflag - 📊 Sorting: Sort results by any column (Name, Current, Date, Latest, Behind By(Time), Behind By(Versions))
- 📊 Beautiful Reports: Organized table output with severity icons (🔴 Critical, 🟠 High, 🟡 Medium, 🟢 Low, ⚪ Unknown)
- 🚀 Fast & Efficient: Parallel API processing (10 concurrent threads) for quick results
- ⚡ Incremental Output: Shows gem results immediately, then scans packages
- 📅 Release Dates: Fetches actual release dates from RubyGems.org and NPM registry
- 🔢 Version Analysis: Shows how many versions behind and time difference
- 📦 Multi-Package Manager: Supports both npm and yarn with automatic detection
Installation
Install from RubyGems
gem install rubion
Install from source
git clone https://github.com/bipashant/rubion.git
cd rubion
bundle install
rake install_local
Usage
Basic Scan
Navigate to your project directory and run:
rubion scan
This will scan your project for:
- Ruby gem vulnerabilities (if
Gemfile.lockexists) - Outdated Ruby gems with release dates
- NPM/JavaScript package vulnerabilities (if
package.jsonexists) - Outdated NPM/JavaScript packages with release dates
Scan Options
# Scan only Ruby gems (skip NPM packages)
rubion scan --gems-only
# or
rubion scan -g
# Scan only NPM packages (skip Ruby gems)
rubion scan --packages-only
# or
rubion scan -p
# Scan both (default)
rubion scan
Sorting Options
# Sort by column name (default: "Behind By(Time)" in descending order)
rubion scan --sort-by Name
rubion scan --sort-by Current
rubion scan --sort-by "Current version released on"
rubion scan --sort-by Latest
rubion scan --sort-by "Latest version released on"
rubion scan --sort-by "Behind By(Time)"
rubion scan --sort-by "Behind By(Versions)"
# Short form
rubion scan -s Name
# Sort in ascending order
rubion scan --sort-by Name --asc
rubion scan --sort-by Name --ascending
# Sort in descending order (default)
rubion scan --sort-by Name --desc
rubion scan --sort-by Name --descending
Available columns for sorting:
Name- Package/gem nameCurrent- Current versionCurrent version released onorDate- Release date of current versionLatest- Latest versionLatest version released onorDate- Release date of latest versionBehind By(Time)- Time difference (default sort, descending)Behind By(Versions)- Number of versions behind
Filtering Options
# Show only direct dependencies (from Gemfile/package.json)
rubion scan --exclude-dependencies
Direct dependencies are automatically highlighted in bold text in the output.
View Help
rubion help
# or
rubion -h
Check Version
rubion version
# or
rubion -v
Output Example
Complete Scan Output
Direct Dependencies Only (with --exclude-dependencies)
When using rubion scan --exclude-dependencies, only direct dependencies are shown:
Gem Versions:
+----------+---------+--------------------------+---------+--------------------------+------------------+-------------------+
| Name | Current | Current version released on | Latest | Latest version released on | Behind By(Time) Note: Direct dependencies (from Gemfile or package.json) are displayed in bold text in the version tables. In the example above, rails, sidekiq, and pg are direct dependencies from the Gemfile.
Requirements
- Ruby 2.6 or higher
- Bundler (for Ruby gem scanning)
- NPM or Yarn (optional, for JavaScript package scanning)
bundler-audit(optional, for enhanced gem vulnerability detection)
Note: If both npm and yarn are available, Rubion will prompt you to choose which one to use. You can respond with 'y' for yarn or 'n' for npm.
Installing bundler-audit (recommended)
gem install bundler-audit
Note: Without bundler-audit, gem vulnerability scanning will be skipped.
How It Works
Rubion uses a modular architecture:
Scanner (
lib/rubion/scanner.rb): Executes various commands to scan for vulnerabilities and outdated versionsbundle-audit checkfor gem vulnerabilitiesbundle outdated --parseablefor gem versionsnpm audit --jsonoryarn audit --jsonfor package vulnerabilities (auto-detects which is available)npm outdated --jsonoryarn outdatedfor package versions (auto-detects which is available)- Fetches release dates and version data from RubyGems.org and NPM registry APIs
- Uses parallel processing (10 concurrent threads) for fast API calls
- Prompts user to choose between npm and yarn if both are available
- Parses
Gemfileandpackage.jsonto identify direct dependencies
Reporter (
lib/rubion/reporter.rb): Formats scan results into beautiful terminal tables usingterminal-table- Adds severity icons (🔴 🟠 🟡 🟢 ⚪)
- Formats dates, time differences, and version counts
- Supports incremental output (gems first, then packages)
- Highlights direct dependencies in bold text
- Supports sorting by any column with visual indicators (↑/↓)
- Filters results based on
--exclude-dependenciesflag
CLI (
lib/rubion.rb): Provides the command-line interface- Parses command-line options (
--gems-only,--packages-only,--sort-by,--asc,--desc,--exclude-dependencies) - Coordinates scanning and reporting
- Parses command-line options (
For detailed information about data collection and mapping, see HOW_IT_WORKS.md.
Performance
Rubion is optimized for speed:
- Parallel API Processing: Uses 10 concurrent threads to fetch version data from RubyGems.org and NPM registry
- Single API Call Per Package: Fetches all necessary data (dates, version list) in one request
- Incremental Output: Shows gem results immediately, then scans packages (better UX)
- Progress Indicators: Shows real-time progress like "Checking Ruby gems... 10/54"
Typical scan times:
- Gems only: ~4-5 seconds (for ~140 gems)
- Packages only: ~3-4 seconds (for ~50 packages)
- Both: ~7-9 seconds total
Development
After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt.
Running tests
rake spec
Running RuboCop
rake rubocop
Building the gem
gem build rubion.gemspec
Installing locally
rake install_local
Extending Rubion
Rubion is designed to be easily extensible. To add new scanners:
- Add a new method in
lib/rubion/scanner.rb - Add a corresponding report method in
lib/rubion/reporter.rb - Update the scan flow in
Scanner#scan
Example:
# In scanner.rb
def scan_python_packages
# Your scanning logic here
@result.python_vulnerabilities = check_pip_vulnerabilities
end
# In reporter.rb
def print_python_vulnerabilities
# Your reporting logic here
end
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/bipashant/rubion.
- Fork it
- Create your feature branch (
git checkout -b feature/my-new-feature) - Commit your changes (
git commit -am 'Add some feature') - Push to the branch (
git push origin feature/my-new-feature) - Create new Pull Request
License
The gem is available as open source under the terms of the MIT License.
Support
If you have any questions or need help, please:
- Open an issue on GitHub: https://github.com/bipashant/rubion/issues
- Check the documentation
- Review the CHANGELOG.md for recent changes
Roadmap
Future features planned:
- [ ] Export formats (JSON, CSV, HTML)
- [ ] Summary statistics
- [ ] Update command suggestions
- [ ] CI/CD integration flags
- [ ] Configurable severity thresholds
- [ ] Auto-fix suggestions
- [ ] Historical tracking of vulnerabilities
Acknowledgments
- Built with terminal-table
- Inspired by tools like
bundle-auditandnpm audit