Add bundle audit to CI (#263)

* Add bundle-audit gem

* Update vulnerable brakeman gem

* Fix "Insecure Source URI found" issue for Rails

.circleci/config.yml

@@ -33,6 +33,10 @@ jobs:
           name: Bundle Install
           command: bundle check || bundle install
 
+      - run:
+          name: Bundle audit
+          command: bundle exec bundle audit update && bundle exec bundle audit check -v
+
       - run:
           name: Rubocop
           command: bundle exec rubocop

Gemfile

@@ -4,7 +4,7 @@ ruby '2.6.5'
 
 ##-- base gems for rails --##
 gem 'rack-cors', require: 'rack/cors'
-gem 'rails', '~> 6', github: 'rails/rails'
+gem 'rails', '~> 6', git: 'https://github.com/rails/rails'
 # Reduces boot times through caching; required in config/boot.rb
 gem 'bootsnap', require: false
 
@@ -80,6 +80,7 @@ group :test do
 end
 
 group :development, :test do
+  gem 'bundle-audit', require: false
   gem 'byebug', platform: :mri
   gem 'factory_bot_rails'
   gem 'faker'

Gemfile.lock

@@ -1,6 +1,34 @@
 GIT
-  remote: git://github.com/rails/rails.git
+  remote: https://github.com/lynndylanhurley/devise_token_auth
-  revision: 7f6d2914c64e7b5224784152fc2d315b6b5b9d60
+  revision: d886f476c625a1bf9673f03b95fb629e75ac2875
+  specs:
+    devise_token_auth (1.1.3)
+      bcrypt (~> 3.0)
+      devise (> 3.5.2, < 5)
+      rails (>= 4.2.0, < 6.1)
+      sprockets (= 3.7.2)
+
+GIT
+  remote: https://github.com/mbleigh/acts-as-taggable-on
+  revision: fbf2b609b69a90edcd5813e9ba6395a7e293e977
+  specs:
+    acts-as-taggable-on (6.0.1)
+      activerecord (>= 5.0, < 6.1)
+
+GIT
+  remote: https://github.com/plataformatec/devise
+  revision: c5de66245460920f9ce98af43c20188c8948f036
+  specs:
+    devise (4.7.1)
+      bcrypt (~> 3.0)
+      orm_adapter (~> 0.1)
+      railties (>= 4.1.0)
+      responders
+      warden (~> 1.2.3)
+
+GIT
+  remote: https://github.com/rails/rails
+  revision: 3f1473379ce3eafc6f8a9912a7c4fb410745cac6
   specs:
     actioncable (6.1.0.alpha)
       actionpack (= 6.1.0.alpha)
@@ -82,34 +110,6 @@ GIT
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
 
-GIT
-  remote: https://github.com/lynndylanhurley/devise_token_auth
-  revision: d886f476c625a1bf9673f03b95fb629e75ac2875
-  specs:
-    devise_token_auth (1.1.3)
-      bcrypt (~> 3.0)
-      devise (> 3.5.2, < 5)
-      rails (>= 4.2.0, < 6.1)
-      sprockets (= 3.7.2)
-
-GIT
-  remote: https://github.com/mbleigh/acts-as-taggable-on
-  revision: fbf2b609b69a90edcd5813e9ba6395a7e293e977
-  specs:
-    acts-as-taggable-on (6.0.1)
-      activerecord (>= 5.0, < 6.1)
-
-GIT
-  remote: https://github.com/plataformatec/devise
-  revision: c5de66245460920f9ce98af43c20188c8948f036
-  specs:
-    devise (4.7.1)
-      bcrypt (~> 3.0)
-      orm_adapter (~> 0.1)
-      railties (>= 4.1.0)
-      responders
-      warden (~> 1.2.3)
-
 GIT
   remote: https://github.com/rspec/rspec-rails
   revision: bfa37ce6d6ab80257c48e407042406007c7cb724
@@ -157,10 +157,15 @@ GEM
     bindex (0.8.1)
     bootsnap (1.4.5)
       msgpack (~> 1.0)
-    brakeman (4.7.0)
+    brakeman (4.7.1)
     browser (2.7.0)
     buftok (0.2.0)
     builder (3.2.3)
+    bundle-audit (0.1.0)
+      bundler-audit
+    bundler-audit (0.6.1)
+      bundler (>= 1.2.0, < 3)
+      thor (~> 0.18)
     byebug (11.0.1)
     carrierwave (2.0.2)
       activemodel (>= 5.0.0)
@@ -276,7 +281,7 @@ GEM
     mini_magick (4.9.5)
     mini_mime (1.0.2)
     mini_portile2 (2.4.0)
-    minitest (5.12.2)
+    minitest (5.13.0)
     mock_redis (0.22.0)
     msgpack (1.3.1)
     multi_xml (0.6.0)
@@ -318,7 +323,7 @@ GEM
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
     rainbow (3.0.0)
-    rake (13.0.0)
+    rake (13.0.1)
     rb-fsevent (0.10.3)
     rb-inotify (0.10.0)
       ffi (~> 1.0)
@@ -439,7 +444,7 @@ GEM
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.4)
     wisper (2.0.0)
-    zeitwerk (2.2.0)
+    zeitwerk (2.2.1)
 
 PLATFORMS
   ruby
@@ -451,6 +456,7 @@ DEPENDENCIES
   bootsnap
   brakeman
   browser
+  bundle-audit
   byebug
   carrierwave-aws
   chargebee (~> 2)