Ruby Security

Open-source Ruby projects categorized as Security

Top 23 Ruby Security Projects

  • Metasploit

    Metasploit Framework

    Project mention: Using metasploit to stage your own payloads | | 2022-12-01

    Take a look at the source for stager_sock_reverse - the stager for linux/x64/shell/reverse_tcp.

  • wpscan

    WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.

    Project mention: WPScan | | 2022-09-26
  • InfluxDB

    Build time-series-based applications quickly and at scale.. InfluxDB is the Time Series Data Platform where developers build real-time applications for analytics, IoT and cloud-native services in less time with less code.

  • Brakeman

    A static analysis security vulnerability scanner for Ruby on Rails applications

    Project mention: Github Pre-commit Hook Setup In Ruby On Rails for maintaining coding standards and productive. | | 2022-08-28

    It’s assumed that you already have a Rails app and use Brakeman to keep your app secure and Rspec to run your test cases.

  • Rack::Attack

    Rack middleware for blocking & throttling

    Project mention: Rack-attack gem setup to protect Rails and Rack apps from bad clients | | 2022-08-08

    Rack middleware for blocking & throttling abusive requests. Protect your Rails and Rack apps from bad clients. Rack::Attack lets you quickly decide when to allow, block, and throttle based on the properties of the request. Using this gem you can save your web application from attacks, we can whitelist IPs, Block requests according to requirements, and many more… Install Rack-attack gem: # In your Gemfile gem 'rack-attack' Enter fullscreen mode Exit fullscreen mode Plugging into the application Then tell your ruby web application to use rack-attack as a middleware. # config/application.rb # rack attack middleware config.middleware.use Rack::Attack Enter fullscreen mode Exit fullscreen mode Once you’ve done that, you’ll need to configure it. You can do this by creating the file, config/initializers/rack-attack.rband adding the rules to fit your needs. You can disable it permanently (like for a specific environment) or temporarily (can be helpful for specific test cases) by writing: Usage Safe listing Safelists have the most precedence, so any request matching a safelist would be allowed despite matching any number of blocklists or throttles. safelist_ip(ip_address_string) Rack::Attack.safelist_ip(“”) Enter fullscreen mode Exit fullscreen mode safelist_ip(ip_subnet_string) Rack::Attack.safelist_ip(“”) Enter fullscreen mode Exit fullscreen mode safelist(name, &block) Name your custom safelist and make your ruby-block argument return a truthy value if you want the request to be allowed, and false otherwise. Blocking blocklist_ip(ip_address_string) Rack::Attack.blocklist_ip(“”) Enter fullscreen mode Exit fullscreen mode blocklist_ip(ip_subnet_string) Rack::Attack.blocklist_ip(“”) Enter fullscreen mode Exit fullscreen mode blocklist(name, &block) Name your custom blocklist and make your ruby-block argument return a truthy value if you want the request to be blocked, and false otherwise. Throttling *throttle(name, options, &block) *( provide limit and period as options) Throttle state is stored in a configurable cache (which defaults to Rails.cache if present). Name your custom throttle, provide limit and period as options, and make your ruby-block argument return the discriminator. This discriminator is how you tell rack-attack whether you’re limiting per IP address, per user email, or any other. For example, if we want to restrict requests other than defined routes and display a custom error page. Error page: If we want to restrict requests/IP and if the request limit increases then send a reminder mail. For Example, we want to allow only 300 requests per 30 seconds after that will restrict requests from this IP till the next 30 seconds interval starting. Get error mail if the limit is extended. Performance The overhead of running Rack::Attack is typically negligible (a few milliseconds per request), but it depends on how many checks you’ve configured, and how long they take. Throttles usually require a network roundtrip to your cache server(s), so try to keep the number of throttle checks per request low. If a request is blocklisted or throttled, the response is a very simple Rack response. A single typical ruby web server thread can block several hundred requests per second. Sample rack-attack.rb file For more information: If this guide has been helpful to you and your team please share it with others!

  • WhatWeb

    Next generation web scanner

  • SecureHeaders

    Manages application of security headers with many safe defaults

  • Portus

    Authorization service and frontend for Docker registry (v2)

  • SonarQube

    Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.

  • inspec

    InSpec: Auditing and Testing Framework

    Project mention: Ruby: "the best" language for general automation | | 2022-05-12

    The course uses Chef Inspec, an open source Ruby DSL. I made a POC with this tool to automatically check repositories on GitHub, checks like if it contains a gitignore consistent with the language used, if node_modules is not present, etc.

  • bundler-audit

    Patch-level verification for Bundler

    Project mention: What are the gems that every Ruby dev should know how to use? | | 2022-08-03

    bundler-audit - check for known security issues

  • WebHackersWeapons

    ⚔️ Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting

  • cocoapods-keys

    A key value store for storing per-developer environment and application keys

  • rails-security-checklist

    :key: Community-driven Rails Security Checklist (see our GitHub Issues for the newest checks that aren't yet in the README)

  • cfn_nag

    Linting tool for CloudFormation templates

    Project mention: Creating a Multi-Account CI/CD Pipeline with AWS CodePipeline | | 2022-11-06

    CodeBuild will run a linting check against the CloudFormation Template using cfn-lint and will then run cfn-nag to check for patterns that indicate insecure resources within the CloudFormation template.

  • PasswordPusher

    🔐 A dead-simple application to securely communicate passwords over the web. Passwords automatically expire after a certain number of views and/or time has passed.

    Project mention: Password sharing | | 2022-11-08
  • RbNaCl

    Ruby FFI binding to the Networking and Cryptography (NaCl) library (a.k.a. libsodium)

    Project mention: Ruby cryptographic gems | | 2022-06-04

    The other gem I want to explore is rbnacl. This gem provides general purpose cryptography for many different scenarios and algorithms. They do so in a simplified way so that mortals like us don't have to become cryptography experts. Check out these docs to see what I'm talking about!

  • invisible_captcha

    :honey_pot: Unobtrusive and flexible spam protection for Rails apps

  • Hashids

    A small Ruby gem to generate YouTube-like hashes from one or many numbers. Use hashids when you do not want to expose your database ids to the user.

  • dawnscanner

    Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.

    Project mention: Security Risks On Rails: Misconfiguration and Unsafe Integrations | | 2022-01-26

    Other useful gems you may take a look at are dawnscanner, reek, and hakiri_toolbelt.

  • krane

    Kubernetes RBAC static analysis & visualisation tool

    Project mention: Data and System Visualization Tools That Will Boost Your Productivity | | 2022-06-13

    Krane is a tool that can generate graph showing relationships between all roles and subjects. Krane also has many more features, including RBAC risk assessment, reporting and alerting, as well as querying/interrogating RBAC rules with CypherQL.

  • devise-security

    A security extension for devise, meeting industry-standard security demands for web applications.

    Project mention: Best authentication in 2022? Devise, Clearance, OAuth, anything else? | | 2022-07-19

    Rodauth is IMO the most feature-complete and the most stable. It ships with "enterprise"-grade features such as single session, session expiration, password expiration, password complexity requirements, disallowing common passwords, and disallowing password reuse (basically what devise-security extension provides).

  • aws-recon

    Multi-threaded AWS inventory collection tool with a focus on security-relevant resources and metadata.

    Project mention: Automated capturing & documenting infra for AWS (EKS, IAM, VPC etc.) | | 2022-09-02

    For an open source approach, tools from the security realm could potentially be a fit (keyword: aws recon), e.g.

  • cis-docker-benchmark

    CIS Docker Benchmark - InSpec Profile

    Project mention: A Detailed Talk about K8S Cluster Security from the Perspective of Attackers (Part 1) | | 2022-10-29
  • urlcrazy

    Generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.

  • Scout APM

    Truly a developer’s best friend. Scout APM is great for developers who want to find and fix performance issues in their applications. With Scout, we'll take care of the bugs so you can focus on building great things 🚀.

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2022-12-01.

Ruby Security related posts


What are some of the best open-source Security projects in Ruby? This list will help you:

Project Stars
1 Metasploit 28,832
2 wpscan 7,141
3 Brakeman 6,533
4 Rack::Attack 5,221
5 WhatWeb 4,228
6 SecureHeaders 3,014
7 Portus 2,975
8 inspec 2,595
9 bundler-audit 2,503
10 WebHackersWeapons 2,401
11 cocoapods-keys 1,523
12 rails-security-checklist 1,320
13 cfn_nag 1,094
14 PasswordPusher 970
15 RbNaCl 967
16 invisible_captcha 948
17 Hashids 928
18 dawnscanner 673
19 krane 535
20 devise-security 455
21 aws-recon 454
22 cis-docker-benchmark 419
23 urlcrazy 362
Delete the most useless function ever: context switching.
Zigi monitors Jira and GitHub updates, pings you when PRs need approval and lets you take fast actions - all directly from Slack! Plus it reduces cycle time by up to 75%.