Use Hakiri to test for known CVEs in gems and Ruby/Rails versions.

Gemfile

@@ -30,7 +30,8 @@ group :development, :test do
   gem 'byebug'
   gem 'pry'
   gem 'timecop'
-  gem 'brakeman', :require => false
+  gem 'brakeman', require: false
+  gem 'hakiri',  require: false
 end
 
 group :development do

Gemfile.lock

@@ -69,20 +69,35 @@ GEM
     codeclimate-test-reporter (0.4.8)
       simplecov (>= 0.7.1, < 1.0.0)
     coderay (1.1.0)
+    commander (4.3.5)
+      highline (~> 1.7.2)
     debug_inspector (0.0.2)
     diff-lcs (1.2.5)
     docile (1.1.5)
+    domain_name (0.5.25)
+      unf (>= 0.0.5, < 1.0.0)
     erubis (2.7.0)
     execjs (2.6.0)
     faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
     fastercsv (1.5.5)
     globalid (0.3.6)
       activesupport (>= 4.1.0)
+    hakiri (0.7.2)
+      activesupport
+      bundler
+      commander
+      i18n
+      json
+      rake
+      rest-client
+      terminal-table
     haml (4.0.7)
       tilt
     hashie (3.4.3)
     highline (1.7.8)
+    http-cookie (1.0.2)
+      domain_name (~> 0.5)
     i18n (0.7.0)
     json (1.8.3)
     jwt (1.5.2)
@@ -99,6 +114,7 @@ GEM
     multi_json (1.11.2)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
+    netrc (0.11.0)
     nokogiri (1.6.6.4)
       mini_portile (~> 0.6.0)
     oauth2 (1.0.0)
@@ -159,6 +175,10 @@ GEM
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
     rake (10.4.2)
+    rest-client (1.8.0)
+      http-cookie (>= 1.0.2, < 2.0)
+      mime-types (>= 1.16, < 3.0)
+      netrc (~> 0.7)
     rspec-core (3.4.1)
       rspec-support (~> 3.4.0)
     rspec-expectations (3.4.0)
@@ -217,6 +237,9 @@ GEM
     uglifier (2.7.2)
       execjs (>= 0.3.0)
       json (>= 1.8.0)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.7.1)
     us_web_design_standards (0.0.2)
       railties
       sass (~> 3.4)
@@ -239,6 +262,7 @@ DEPENDENCIES
   cf-app-utils
   chronic
   codeclimate-test-reporter
+  hakiri
   omniauth
   omniauth-github
   pg

hakiri_manifest.json

@@ -0,0 +1,4 @@
+{
+    "ruby": { "command": "ruby -v" },
+    "ruby-on-rails": { "command": "bundle exec rails -v" }
+}

spec/features/security_spec.rb

@@ -4,10 +4,21 @@
 RSpec.feature "Security (via Brakeman static code analysis)" do
   before do
     tracker = Brakeman.run(Rails.root.to_s)
-    @warnings = tracker.checks.warnings
+    @brakeman_warnings = tracker.checks.warnings
+
+    @gemfile_vulns = `bundle exec hakiri gemfile:scan`
+    @ruby_rails_vulns = `bundle exec hakiri system:scan -m hakiri_manifest.json`
+  end
+
+  scenario "The site has zero Brakeman security warnings" do
+    expect(@brakeman_warnings.length).to eq(0), "Expected 0 security warnings, got: \n #{@brakeman_warnings.map(&:to_s)}."
+  end
+
+  scenario "The Gemfile does not depend on vulnerable gems" do
+    expect(@gemfile_vulns).to have_content("No vulnerabilities found. Keep it up!")
   end
 
-  scenario "The site has zero security warnings" do
-    expect(@warnings.length).to eq(0), "Expected 0 security warnings, got: \n #{@warnings.map(&:to_s)}."
+  scenario "The Ruby and Rails versions have no known (CVE) vulnerabilities" do
+    expect(@ruby_rails_vulns).to have_content("No vulnerabilities found. Keep it up!")
   end
 end