Free Security Monitoring for Open Source Projects

Posted about 1 year ago by Vasily

I am super excited to announce that Hakiri supports open source Ruby projects for free now! There were some technical hurdles that we had to resolve but now our security tools are finally available to the open source community. As long as the project is public on GitHub there is no need to have a paid plan to monitor it for vulnerabilities.

To start monitoring security of your Ruby apps sign up on Hakiri with GitHub and follow projects and branches that you want to monitor. Hakiri will make an initial code pull and setup a web hook for future commits. You can always follow multiple repo branches at once as well.

For each code update in the followed branches Hakiri runs tests against your code (only for Rails apps and engines) and gems. The former performs a static code analysis of your views, controllers, and models trying to find potential security issues. The latter checks gem versions against the database of public vulnerabilities. Then it puts each vulnerability into one of the 32 vulnerability categories for easy reference.

Each Hakiri build corresponds to a unique commit on GitHub. You can explore code and gem vulnerabilities for more information and recommendations on how to eliminate it.

Sometimes static code analysis results in false positives, as it relies on assumptions that may not apply to your code. In this case it’s always possible to mark wrong warnings as false positives.

Every public GitHub project that was followed on Hakiri can be accessed by anyone with the following URL: https://hakiri.io/github/user-name/project-name.

To learn more about how to use Hakiri, check out our Getting Started Guide.

What’s Missing?

There are a few things that I think are currently missing from the open source functionality and I’d love to hear some feedback from the community on them. Here is a list of things that are next on the roadmap.

Project Badge

Project badges are the de facto way to demonstrate test coverage, code condition, versions, and many other things in GitHub projects. I’d like to create the same mechanism for code security.

Tighter GitHub Integration

Pull requests is the fundamental way of contributing to open source projects on GitHub. I’d like to add commit status support that will notify project owners about potential vulnerabilities before they merge pull requests.

Another way to integrate with GitHub is to automatically generate GitHub issues on certain warnings and add commit comments that explain why a specific line of code is not safe.

More Notification Options

The last useful improvement that I can think of is a broader selection of notification options. Those might include things like RSS feeds, integration with popular project management and communication tools (e.g., Pivotal Tracker, Flowdock, HipChat), and SMS notifications.

I hope you will find Hakiri useful for your open source projects! Please let me know if you have any thoughts, comments, or ideas on how to improve things.