From 82c23622c7232f8b57924d6d4ab59a6089b88d55 Mon Sep 17 00:00:00 2001
From: Victor Engmark <victor@engmark.name>
Date: Wed, 17 Sep 2025 15:11:01 +0200
Subject: [PATCH] rubyPackages: Add command to audit packages

For known security vulnerabilities.

Converts `pkgs/top-level/ruby-packages.nix` to a minimal `Gemfile.lock`
for `bundler-audit`.
---
 doc/languages-frameworks/ruby.section.md          |  2 ++
 .../audit-ruby-packages/audit-ruby-packages.bash  |  6 ++++++
 .../scripts/audit-ruby-packages/default.nix       | 15 +++++++++++++++
 3 files changed, 23 insertions(+)
 create mode 100755 maintainers/scripts/audit-ruby-packages/audit-ruby-packages.bash
 create mode 100644 maintainers/scripts/audit-ruby-packages/default.nix

diff --git a/doc/languages-frameworks/ruby.section.md b/doc/languages-frameworks/ruby.section.md
index 25c31de17e71..f1be5e04dd48 100644
--- a/doc/languages-frameworks/ruby.section.md
+++ b/doc/languages-frameworks/ruby.section.md
@@ -273,6 +273,8 @@ To test that it works, you can then try using the gem with:
 NIX_PATH=nixpkgs=$PWD nix-shell -p "ruby.withPackages (ps: with ps; [ name-of-your-gem ])"
 ```
 
+To check the gems for any security vulnerabilities, run `./maintainers/scripts/audit-ruby-packages/audit-ruby-packages.bash`.
+
 ### Packaging applications {#packaging-applications}
 
 A common task is to add a Ruby executable to Nixpkgs; popular examples would be `chef`, `jekyll`, or `sass`. A good way to do that is to use the `bundlerApp` function, that allows you to make a package that only exposes the listed executables. Otherwise, the package may cause conflicts through common paths like `bin/rake` or `bin/bundler` that aren't meant to be used.
diff --git a/maintainers/scripts/audit-ruby-packages/audit-ruby-packages.bash b/maintainers/scripts/audit-ruby-packages/audit-ruby-packages.bash
new file mode 100755
index 000000000000..6459e38d9842
--- /dev/null
+++ b/maintainers/scripts/audit-ruby-packages/audit-ruby-packages.bash
@@ -0,0 +1,6 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bundler-audit
+
+set -o errexit -o nounset -o pipefail
+
+bundle-audit check "$(nix-build --no-out-link maintainers/scripts/audit-ruby-packages/default.nix)"
diff --git a/maintainers/scripts/audit-ruby-packages/default.nix b/maintainers/scripts/audit-ruby-packages/default.nix
new file mode 100644
index 000000000000..47d394cb7875
--- /dev/null
+++ b/maintainers/scripts/audit-ruby-packages/default.nix
@@ -0,0 +1,15 @@
+let
+  pkgs = import ../../.. { };
+  lockFileBody = pkgs.lib.concatStringsSep "\n" (
+    pkgs.lib.mapAttrsToList (name: props: "    ${name} (${props.version})") (
+      pkgs.lib.filterAttrs (name: _props: name != "recurseForDerivations") pkgs.rubyPackages
+    )
+  );
+in
+pkgs.runCommand "bundle-audit" { } ''
+  mkdir "$out"
+  echo 'GEM' > "$out/Gemfile.lock"
+  echo '  remote: https://rubygems.org/' >> "$out/Gemfile.lock"
+  echo '  specs:' >> "$out/Gemfile.lock"
+  echo '${lockFileBody}' >> "$out/Gemfile.lock"
+''