Continuous Integration for Ruby Security

Posted about 3 years ago by Vasily

I am really excited to announce one of the most frequently requested features for Hakiri: continuous integration. The idea behind it is simple. Members of your team can send pull requests to branches on GitHub and Hakiri will automatically pick them up. It will then scan pull requests for vulnerabilities in code (for Rails projects only) and dependencies (all Ruby projects). This is a great addition to open source and private project workflows that many teams needed. Before this change Hakiri could only scan direct commits to repos.

Here is an example of what your pull requests will look like when your projects are connected to Hakiri:

Hakiri CI: Pull Request

You can click on the details page and see what vulnerabilities were introduced during the pull request:

Hakiri Build

In this case there is only one vulnerability. You can click on it to see the details:

Hakiri Paperclip Vulnerability

You can now mark it as false positive or bug the person who submitted the pull request so they can fix it. Once either of the two is complete Hakiri will automatically rescan your pull request to confirm that the vulnerability has been resolved.

Hakiri GitHub Pull Request Success

We don’t delete old builds from the system as long as your project is on Hakiri, so you can always look back at the history of pull request security changes.

In order for continuous integration to work, two things have to happen. First, you’ll have to confirm your GitHub permissions for open source or private project development if you haven’t done it yet. The user confirming GitHub permissions have to have push access in a repository on GitHub. This way Hakiri can create and edit statuses of your pull requests. Second, your projects have to have GitHub hooks enabled with both push and pull_request actions.

Hakiri would normally do both of these things automatically, but sometimes you might have more granular user permissions on organization projects that won’t let Hakiri create web hooks. In this case you’ll have to create them by hand, which only takes a couple of minutes.

Let me know what you think about this new functionality and whether you think it can be improved in any way.

Happy pull requesting!