I am excited to announce an updated UI and new functionality in the Hakiri web app. We collected a lot of feedback from our customers in the past few months on how the web interface was being used in the real world and what they considered to be the major pain points.
Houston, Houston, do you read? We are reporting on a major update to the core Hakiri functionality.
Now our vulnerability database is updated from one more data source: Ruby Advisory Database. This means that you’ll receive higher quality Ruby gem security notifications for your open source and private projects. We also improved individual vulnerability pages with richer descriptions, lists of references, unaffected and patched scopes, more cohesive page layouts, and OSVDB IDs for some vulnerabilities. This will help you understand what the root cause of the vulnerability is and how to fix it quickly and effectively.
We finally did it—Hakiri is now free for nonprofits around the world! Several organizations approached us in the past year asking if they can use Hakiri for free and the answer has always been “no” due to the lack of time to develop this functionality on our end. Now the answer is finally “yes.” We provide Medium plans free of charge to any nonprofit that approaches us.
Just email us at email@example.com with some proof that your GitHub account or organization belong to a nonprofit and we will setup your account with free access to the Medium plan. Nonprofit proofs vary from country to country, so we evaluate them on a case-by-case basis. For example, in the United States nonprofit organizations have a 501(c)(3) tax-exempt status and in this case a determination letter from IRS would suffice.
Hakiri runs on a lot of open source technologies that we don’t pay for, as do many other web services. This is why giving back to the community is an important idea that we try to embrace whenever we can. We already provide free service to open source Ruby projects and now we extend it to nonprofits as well. Exciting times!
I am really excited to announce one of the most frequently requested features for Hakiri: continuous integration. The idea behind it is simple. Members of your team can send pull requests to branches on GitHub and Hakiri will automatically pick them up. It will then scan pull requests for vulnerabilities in code (for Rails projects only) and dependencies (all Ruby projects). This is a great addition to open source and private project workflows that many teams needed. Before this change Hakiri could only scan direct commits to repos.
Here is an example of what your pull requests will look like when your projects are connected to Hakiri:
I am excited to announce that Hakiri supports teams!
Invite your collaborators from GitHub and assign read or read & write permissions to them, so they can view security issues or help manage them. People you are inviting don’t have to be members of teams on GitHub, which means that anyone who has an account on GitHub can be a team member on Hakiri.
Read-only permissions allow your collaborators to look at your project’s branches, builds, and security warnings. Read and write permissions let them follow and unfollow branches, delete builds, add new stack technologies, and mark warnings as false positives.
To invite a team member go to your project settings and fill out their GitHub username and email where an invite should be sent. If they are not registered on Hakiri, they will receive an email asking them to sign up. If they are already a member, they will receive an email notification and your project will automatically show up in their dashboard.
Teams are available to all public projects for free. If you want teams for private projects, please upgrade to the medium or large plan.
In the past couple of weeks we worked on some fundamental architectural changes to Hakiri. Those changes are going to make everyone’s lives easier.
One of the biggest user experience hurdles that some of our customers experienced were related to the confusing concepts of issues and warnings that essentially represented two different things: CVE vulnerabilities and static code analysis warnings. The problem is that warnings and issues are two fundamentally different concepts, yet we assigned both of them to each build making it seem like they were the same. This setup made it impossible to mark CVE vulnerabilities as false positives and users couldn’t reference those vulnerabilities in the context of project branches.
The solution to the problem turned out to be very simple…
Web security can be very confusing and frustrating at times. A lot of companies don’t pay enough attention to it until something bad happens and users’ data and safety are compromised.
Ruby developers have a wealth of tools for efficient prototyping, testing, and continuous integration that are well known and widely accepted in the community. But what about security? An average Ruby developer will probably mention Brakeman and Gemnasium but only a handful of teams looked into more options and even less adopted other solutions.
In this article I will cover open source security libraries, web services, and reads that any developer should consider before implementing their next Ruby app.
I am super excited to announce that Hakiri supports open source Ruby projects for free now! There were some technical hurdles that we had to resolve but now our security tools are finally available to the open source community. As long as the project is public on GitHub there is no need to have a paid plan to monitor it for vulnerabilities.
To start monitoring security of your Ruby apps sign up on Hakiri with GitHub and follow projects and branches that you want to monitor. Hakiri will make an initial code pull and setup a web hook for future commits. You can always follow multiple repo branches at once as well.