Rails GuardDog 🐕
Production-grade security scanner for Rails applications.
Beyond Brakeman — detects AI injection, DoS patterns, supply chain attacks, GraphQL authorization gaps, and more.
v0.1.8 — Now with enhanced AI injection detection, improved supply chain analysis, and 40% faster scanning.
✨ Why Rails GuardDog?
| Feature | Brakeman | bundler-audit | rack-attack | GuardDog |
|---|---|---|---|---|
| SQL Injection | ✅ | - | - | ✅ Enhanced |
| XSS Detection | ✅ | - | - | ✅ Extended |
| CSRF Checks | ✅ | - | - | ✅ Full |
| Mass Assignment | ✅ Partial | - | - | ✅ Improved |
| Hardcoded Secrets | ⚠️ Optional | - | - | ✅ Always-on |
| Open Redirect | ✅ | - | - | ✅ |
| DoS/ReDoS | ❌ | - | - | ✅ Enhanced |
| IDOR | ❌ | - | - | ✅ |
| AI Injection | ❌ | - | - | ✅ Enhanced |
| Supply Chain | ❌ | ⚠️ Limited | - | ✅ Improved |
| Rate Limiting | ❌ | - | ⚠️ Config only | ✅ Expanded |
| GraphQL Auth | ❌ | - | - | ✅ |
📊 By The Numbers
🚀 Quick Start
Installation
Add to your Gemfile:
gem 'rails-guarddog'
Then run:
bundle install
First Scan
# See results in terminal
rake guarddog:scan
# Generate HTML + JSON reports
rake guarddog:report
# CI/CD integration (exits 1 if critical found)
rake guarddog:ci
That's it! Scan your entire Rails app for security vulnerabilities.
🔒 Security Checkers (12 Total)
Authentication & Authorization
- IDOR Detection — Object access without ownership verification
- GraphQL Authorization — Missing field-level auth checks
- Open Redirect — User input in
redirect_towithout validation - Rate Limiting Audit — Missing rack-attack configuration
Injection Attacks
- SQL Injection — String interpolation in queries
- XSS (Cross-Site Scripting) — Unescaped user input in views
- AI/LLM Prompt Injection — User input flowing directly to LLMs ⭐ ENHANCED in v0.1.8
Data Protection
- CSRF Protection — Disabled without documented reason
- Mass Assignment —
permit!vulnerabilities ⭐ IMPROVED in v0.1.8 - Hardcoded Secrets — API keys, tokens, passwords in code (ALWAYS-ON, false-positive-safe)
Resource Management
- DoS/ReDoS — Unbounded queries, dangerous regex patterns ⭐ ENHANCED in v0.1.8
- Supply Chain — Typosquatted gems using Levenshtein distance ⭐ IMPROVED in v0.1.8
False-positive protection (v0.1.10 - v0.1.12)
- Secrets: Patterns use word boundaries —
no_token:orreset_password_instructions:in locale files will not trigger the secrets checker.- Secrets: Secret values must be space-free (
[^\s'"]{6,}) — human-readable sentences like"You can't access this page..."are never flagged.- Secrets:
config/locales/files are skipped entirely — i18n translations are not credentials.- Secrets:
spec/andtest/trees suppress the secrets checker by default (configurable viaignored_checks).- DoS: Smart multiline
.limit()check detection (v0.1.12) — lookahead up to 3 lines handles chained.limit()calls on subsequent lines or reassignment to the same variable, e.g.things = Thing.all; things = things.limit(100)or.limit(...)on the next line.
📊 Example Output
Console Report
============================================================
Rails GuardDog Security Report v0.1.12
============================================================
[CRITICAL] (5 findings)
Mass Assignment — permit! allows ALL parameters
app/controllers/users_controller.rb:15
Fix: Use permit(:name, :email, :age) for specific fields
AI Injection — User input in LLM prompt
app/services/chat_service.rb:42
Fix: Sanitize: prompt = 'Template: ' + sanitize(params[:text])
Hardcoded Secret — API Key detected
config/initializers/api.rb:3
Fix: Move to Rails.application.credentials
[HIGH] (8 findings)
DoS: Unbounded query without limit
app/controllers/posts_controller.rb:5
Fix: Add .limit(100) or use pagination
============================================================
Total findings: 15 | Critical: 5 | High: 8
============================================================
HTML Report
- 📊 Interactive dashboard with severity filtering
- 🎨 Color-coded findings
- 💡 Inline remediation suggestions
- 📈 Summary statistics
- 🌙 Dark mode support
- 📄 PDF export (beta)
JSON Report (CI/CD Ready)
{
"timestamp": "2026-06-06T04:00:00Z",
"total_findings": 15,
"severity_breakdown": {
"critical": 5,
"high": 8
}
}
⚙️ Configuration
Create config/initializers/guarddog.rb:
Rails.application.config.after_initialize do
# --- Option A: Enable only specific checkers ---
Rails.application.config.guarddog.enabled_checkers = %w[
sql_injection xss csrf mass_assignment secrets
ai_injection idor dos rate_limit supply_chain
]
# --- Option B: Disable only specific checkers (keep everything else) ---
# Easier when you want "all but a couple". Takes priority over enabled_checkers.
Rails.application.config.guarddog.disabled_checkers = %w[dos rate_limit]
# Directories to skip entirely (all checks silenced).
# Default: %w[vendor node_modules]
Rails.application.config.guarddog.excluded_paths = %w[vendor node_modules]
# Suppress specific checkers for files under certain path substrings.
# Keys are path fragments; values are arrays of checker names.
# Default: { "spec" => %w[secrets], "test" => %w[secrets] }
Rails.application.config.guarddog.ignored_checks = {
"spec" => %w[secrets], # no secrets alerts in spec/
"test" => %w[secrets], # no secrets alerts in test/
"fixtures" => %w[secrets idor] # custom: also skip idor in fixtures
}
# Fail on severity level (for CI)
Rails.application.config.guarddog.fail_on_severity = :critical
# Strict mode (catch more issues, may have false positives)
Rails.application.config.guarddog.strict_mode = false
end
Disabling specific checkers
If you want to keep all checkers except a couple, use disabled_checkers
instead of maintaining a long enabled_checkers list:
# All 12 checkers run, except dos and rate_limit
Rails.application.config.guarddog.disabled_checkers = %w[dos rate_limit]
This is the recommended approach when you hit false positives in one checker but still want full coverage from all others.
Suppressing checks per directory
GuardDog already silences secrets in spec/ and test/ by default. To add
more suppressions or override the defaults, set ignored_checks in your
initializer (see example above).
🔄 CI/CD Integration
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
guarddog:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: ruby/setup-ruby@v1
with:
ruby-version: '3.2'
bundler-cache: true
- name: Run GuardDog
run: bundle exec rake guarddog:ci
📈 What's New in v0.1.8
✨ Enhanced AI/LLM Injection Detection
✨ Improved Supply Chain Analysis
✨ Expanded DoS/ReDoS Patterns
✨ 40% Faster AST Analysis
✨ Better HTML Report
🎯 5 Critical Bug Fixes
🐕 Why "GuardDog"?
Like a good guard dog, Rails GuardDog protects your application:
- 🐾 Watches for intruders (security vulnerabilities)
- 🚨 Barks when danger is near (alerts on findings)
- 🛡️ Guards the perimeter (checks entire codebase)
- 👀 Never sleeps (always-on scanning)
- 🤝 Works alongside you (integrates with your workflow)
🤝 Contributing
Contributions welcome! GitHub Issues | GitHub Discussions
📄 License
MIT License - Free to use and modify.
🔗 Links
- RubyGems: https://rubygems.org/gems/rails-guarddog
- GitHub: https://github.com/sghani001/rails-guarddog
- Issues: https://github.com/sghani001/rails-guarddog/issues
- Releases: https://github.com/sghani001/rails-guarddog/releases
Rails GuardDog v0.1.12 — Production Ready
Beyond brakeman. Detect what others miss. 🐕🔒