From b0b6fd3841eecc84c27f2bdf571449366b713310 Mon Sep 17 00:00:00 2001
From: Justin Ramos <justin.ramos@gmail.com>
Date: Wed, 22 Apr 2026 14:56:04 -0700
Subject: [PATCH] Add bundle-audit to CI for Gemfile.lock CVE gating

---
 .github/workflows/ci.yml | 15 +++++++++++++++
 CHANGELOG.md             |  5 +++++
 Gemfile                  |  7 ++++---
 Rakefile                 |  5 +++++
 4 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 17fcd1b..7831df0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -33,3 +33,18 @@ jobs:
 
       - name: Run tests and lint
         run: bundle exec rake
+
+  audit:
+    name: bundle-audit
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+
+      - name: Run bundle-audit
+        run: bundle exec bundle-audit check --update
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5cd6a43..ae25f75 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- **`bundle-audit` in CI** (`.github/workflows/ci.yml`). New `audit`
+  job runs `bundle exec bundle-audit check --update` on every push
+  and PR, gating merges on known CVEs in `Gemfile.lock`. Advisory
+  DB is refreshed on each run from `rubysec/ruby-advisory-db`. Also
+  available locally as `bundle exec rake audit`.
 - **Dependabot config** (`.github/dependabot.yml`). Weekly bump PRs
   for Bundler and GitHub Actions, with `open-pull-requests-limit: 3`
   per ecosystem. `versioning-strategy: lockfile-only` on bundler, so
diff --git a/Gemfile b/Gemfile
index 2ee938a..92993a4 100644
--- a/Gemfile
+++ b/Gemfile
@@ -5,10 +5,11 @@ source 'https://rubygems.org'
 gemspec
 
 group :development do
-  gem 'rake',      '>= 13.2'
-  gem 'rspec',     '>= 3.13'
+  gem 'bundler-audit', '>= 0.9'
+  gem 'rake',          '>= 13.2'
+  gem 'rspec',         '>= 3.13'
   gem 'rubocop',       '>= 1.60'
   gem 'rubocop-rake',  '>= 0.6'
   gem 'rubocop-rspec', '>= 2.27'
-  gem 'simplecov', '>= 0.22'
+  gem 'simplecov',     '>= 0.22'
 end
diff --git a/Rakefile b/Rakefile
index b1c9539..7647120 100644
--- a/Rakefile
+++ b/Rakefile
@@ -12,3 +12,8 @@ task default: %i[spec rubocop]
 
 desc 'Alias for spec'
 task test: :spec
+
+desc 'Check Gemfile.lock against the ruby-advisory-db for known CVEs'
+task :audit do
+  sh 'bundle exec bundle-audit check --update'
+end