Rails GuardDog 🐕

Gem Version Downloads GitHub Stars License: MIT Ruby Version Rails Version Issues Status

Production-grade security scanner for Rails applications.

Beyond Brakeman — detects AI injection, DoS patterns, supply chain attacks, GraphQL authorization gaps, and more.

v0.1.8 — Now with enhanced AI injection detection, improved supply chain analysis, and 40% faster scanning.


✨ Why Rails GuardDog?

Feature Brakeman bundler-audit rack-attack GuardDog
SQL Injection - - ✅ Enhanced
XSS Detection - - ✅ Extended
CSRF Checks - - ✅ Full
Mass Assignment ✅ Partial - - Improved
Hardcoded Secrets ⚠️ Optional - - Always-on
Open Redirect - -
DoS/ReDoS - - Enhanced
IDOR - -
AI Injection - - Enhanced
Supply Chain ⚠️ Limited - Improved
Rate Limiting - ⚠️ Config only Expanded
GraphQL Auth - -

📊 By The Numbers

Metric Value
Latest Version Gem Version
Total Downloads Downloads
Security Checkers 12
Report Formats 3 (Console, HTML, JSON)
Core Dependencies 2 (parser, ast)
Performance 40% faster AST analysis
Memory 25% smaller footprint
License MIT

🚀 Quick Start

Installation

Add to your Gemfile:

gem 'rails-guarddog'

Then run:

bundle install

First Scan

# See results in terminal
rake guarddog:scan

# Generate HTML + JSON reports
rake guarddog:report

# CI/CD integration (exits 1 if critical found)
rake guarddog:ci

That's it! Scan your entire Rails app for security vulnerabilities.


🔒 Security Checkers (12 Total)

Authentication & Authorization

  • IDOR Detection — Object access without ownership verification
  • GraphQL Authorization — Missing field-level auth checks
  • Open Redirect — User input in redirect_to without validation
  • Rate Limiting Audit — Missing rack-attack configuration

Injection Attacks

  • SQL Injection — String interpolation in queries
  • XSS (Cross-Site Scripting) — Unescaped user input in views
  • AI/LLM Prompt Injection — User input flowing directly to LLMs ⭐ ENHANCED in v0.1.8

Data Protection

  • CSRF Protection — Disabled without documented reason
  • Mass Assignmentpermit! vulnerabilities ⭐ IMPROVED in v0.1.8
  • Hardcoded Secrets — API keys, tokens, passwords in code (ALWAYS-ON, false-positive-safe)

Resource Management

  • DoS/ReDoS — Unbounded queries, dangerous regex patterns ⭐ ENHANCED in v0.1.8
  • Supply Chain — Typosquatted gems using Levenshtein distance ⭐ IMPROVED in v0.1.8

False-positive protection (v0.1.10 - v0.1.12)

  • Secrets: Patterns use word boundaries — no_token: or reset_password_instructions: in locale files will not trigger the secrets checker.
  • Secrets: Secret values must be space-free ([^\s'"]{6,}) — human-readable sentences like "You can't access this page..." are never flagged.
  • Secrets: config/locales/ files are skipped entirely — i18n translations are not credentials.
  • Secrets: spec/ and test/ trees suppress the secrets checker by default (configurable via ignored_checks).
  • DoS: Smart multiline .limit() check detection (v0.1.12) — lookahead up to 3 lines handles chained .limit() calls on subsequent lines or reassignment to the same variable, e.g. things = Thing.all; things = things.limit(100) or .limit(...) on the next line.

📊 Example Output

Console Report

============================================================
          Rails GuardDog Security Report v0.1.12
============================================================

[CRITICAL] (5 findings)
  Mass Assignment — permit! allows ALL parameters
    app/controllers/users_controller.rb:15
    Fix: Use permit(:name, :email, :age) for specific fields

  AI Injection — User input in LLM prompt
    app/services/chat_service.rb:42
    Fix: Sanitize: prompt = 'Template: ' + sanitize(params[:text])

  Hardcoded Secret — API Key detected
    config/initializers/api.rb:3
    Fix: Move to Rails.application.credentials

[HIGH] (8 findings)
  DoS: Unbounded query without limit
    app/controllers/posts_controller.rb:5
    Fix: Add .limit(100) or use pagination

============================================================
Total findings: 15 | Critical: 5 | High: 8
============================================================

HTML Report

  • 📊 Interactive dashboard with severity filtering
  • 🎨 Color-coded findings
  • 💡 Inline remediation suggestions
  • 📈 Summary statistics
  • 🌙 Dark mode support
  • 📄 PDF export (beta)

JSON Report (CI/CD Ready)

{
  "timestamp": "2026-06-06T04:00:00Z",
  "total_findings": 15,
  "severity_breakdown": {
    "critical": 5,
    "high": 8
  }
}

⚙️ Configuration

Create config/initializers/guarddog.rb:

Rails.application.config.after_initialize do
  # --- Option A: Enable only specific checkers ---
  Rails.application.config.guarddog.enabled_checkers = %w[
    sql_injection xss csrf mass_assignment secrets
    ai_injection idor dos rate_limit supply_chain
  ]

  # --- Option B: Disable only specific checkers (keep everything else) ---
  # Easier when you want "all but a couple". Takes priority over enabled_checkers.
  Rails.application.config.guarddog.disabled_checkers = %w[dos rate_limit]

  # Directories to skip entirely (all checks silenced).
  # Default: %w[vendor node_modules]
  Rails.application.config.guarddog.excluded_paths = %w[vendor node_modules]

  # Suppress specific checkers for files under certain path substrings.
  # Keys are path fragments; values are arrays of checker names.
  # Default: { "spec" => %w[secrets], "test" => %w[secrets] }
  Rails.application.config.guarddog.ignored_checks = {
    "spec"     => %w[secrets],          # no secrets alerts in spec/
    "test"     => %w[secrets],          # no secrets alerts in test/
    "fixtures" => %w[secrets idor]      # custom: also skip idor in fixtures
  }

  # Fail on severity level (for CI)
  Rails.application.config.guarddog.fail_on_severity = :critical

  # Strict mode (catch more issues, may have false positives)
  Rails.application.config.guarddog.strict_mode = false
end

Disabling specific checkers

If you want to keep all checkers except a couple, use disabled_checkers instead of maintaining a long enabled_checkers list:

# All 12 checkers run, except dos and rate_limit
Rails.application.config.guarddog.disabled_checkers = %w[dos rate_limit]

This is the recommended approach when you hit false positives in one checker but still want full coverage from all others.

Suppressing checks per directory

GuardDog already silences secrets in spec/ and test/ by default. To add more suppressions or override the defaults, set ignored_checks in your initializer (see example above).


🔄 CI/CD Integration

GitHub Actions

name: Security Scan
on: [push, pull_request]
jobs:
  guarddog:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: ruby/setup-ruby@v1
        with:
          ruby-version: '3.2'
          bundler-cache: true
      - name: Run GuardDog
        run: bundle exec rake guarddog:ci

📈 What's New in v0.1.8

✨ Enhanced AI/LLM Injection Detection ✨ Improved Supply Chain Analysis
✨ Expanded DoS/ReDoS Patterns
✨ 40% Faster AST Analysis
✨ Better HTML Report
🎯 5 Critical Bug Fixes


🐕 Why "GuardDog"?

Like a good guard dog, Rails GuardDog protects your application:

  • 🐾 Watches for intruders (security vulnerabilities)
  • 🚨 Barks when danger is near (alerts on findings)
  • 🛡️ Guards the perimeter (checks entire codebase)
  • 👀 Never sleeps (always-on scanning)
  • 🤝 Works alongside you (integrates with your workflow)

🤝 Contributing

Contributions welcome! GitHub Issues | GitHub Discussions


📄 License

MIT License - Free to use and modify.



Rails GuardDog v0.1.12 — Production Ready

Beyond brakeman. Detect what others miss. 🐕🔒