Rubion
Security scanner for Ruby gems and NPM packages. Finds vulnerabilities and outdated dependencies with release dates, version analysis, and severity indicators.
Install / Use
/learn @bipashant/RubionREADME
Rubion
Rubion is a security and version scanner for Ruby and JavaScript projects. It helps you identify vulnerabilities and outdated dependencies in your Ruby gems and NPM/JavaScript packages.
<img width="1237" height="671" alt="Screenshot 2025-11-14 at 10 48 12 am" src="https://github.com/user-attachments/assets/a3d93452-c442-416a-9697-de59746e16ad" />Features
- 📛 Gem Vulnerabilities: Scans for known security vulnerabilities in Ruby gems using
bundle-audit - 📦 Gem Versions: Identifies outdated Ruby gems with release dates and version counts
- 📛 Package Vulnerabilities: Scans for known security vulnerabilities in NPM/JavaScript packages using
npm auditoryarn audit - 📦 Package Versions: Identifies outdated NPM/JavaScript packages with release dates and version counts
- 🎯 Direct Dependencies: Highlights direct dependencies (from
Gemfile/package.json) in bold text - 🔍 Filtering: Option to show only direct dependencies with
--exclude-dependenciesflag - 🛡️ Vulnerabilities Only Mode: Option to show only vulnerability tables (and skip version/outdated checks) with
--vulnerabilities-only - 📊 Sorting: Sort results by any column (Name, Current, Date, Latest, Behind By(Time), Behind By(Versions))
- 📊 Beautiful Reports: Organized table output with severity icons (🔴 Critical, 🟠 High, 🟡 Medium, 🟢 Low, ⚪ Unknown)
- 🚀 Fast & Efficient: Parallel API processing (10 concurrent threads) for quick results
- ⚡ Incremental Output: Shows gem results immediately, then scans packages
- 📅 Release Dates: Fetches actual release dates from RubyGems.org and NPM registry
- 🔢 Version Analysis: Shows how many versions behind and time difference
- 📦 Multi-Package Manager: Supports both npm and yarn with automatic detection
Installation
Install from RubyGems
gem install rubion
Install from source
git clone https://github.com/bipashant/rubion.git
cd rubion
bundle install
rake install_local
Usage
Basic Scan
Navigate to your project directory and run:
rubion scan
This will scan your project for:
- Ruby gem vulnerabilities (if
Gemfile.lockexists) - Outdated Ruby gems with release dates
- NPM/JavaScript package vulnerabilities (if
package.jsonexists) - Outdated NPM/JavaScript packages with release dates
Scan Options
# Scan only Ruby gems (skip NPM packages)
rubion scan --gems-only
# or
rubion scan -g
# Scan only NPM packages (skip Ruby gems)
rubion scan --packages-only
# or
rubion scan -p
# Scan both (default)
rubion scan
Sorting Options
# Sort by column name (default: "Behind By(Time)" in descending order)
rubion scan --sort-by Name
rubion scan --sort-by Current
rubion scan --sort-by "Current version released on"
rubion scan --sort-by Latest
rubion scan --sort-by "Latest version released on"
rubion scan --sort-by "Behind By(Time)"
rubion scan --sort-by "Behind By(Versions)"
# Short form
rubion scan -s Name
# Sort in ascending order
rubion scan --sort-by Name --asc
rubion scan --sort-by Name --ascending
# Sort in descending order (default)
rubion scan --sort-by Name --desc
rubion scan --sort-by Name --descending
Available columns for sorting:
Name- Package/gem nameCurrent- Current versionCurrent version released onorDate- Release date of current versionLatest- Latest versionLatest version released onorDate- Release date of latest versionBehind By(Time)- Time difference (default sort, descending)Behind By(Versions)- Number of versions behind
Filtering Options
# Show only direct dependencies (from Gemfile/package.json)
rubion scan --exclude-dependencies
Direct dependencies are automatically highlighted in bold text in the output.
Vulnerabilities-Only Mode
# Show only vulnerability tables (no version/outdated sections)
rubion scan --vulnerabilities-only
# Combine with other filters
rubion scan --gems-only --vulnerabilities-only
rubion scan --packages-only --vulnerabilities-only
View Help
rubion help
# or
rubion -h
Check Version
rubion version
# or
rubion -v
Output Example
Complete Scan Output
🔍 Scanning project at: /path/to/project
📦 Checking Ruby gems... 139/139 ✓
Gem Vulnerabilities:
+--------------+----------+---------+---------------------------------------------+
| Level | Name | Version | Vulnerability |
+--------------+----------+---------+---------------------------------------------+
| 🔴 Critical | rexml | 3.4.1 | REXML has DoS condition when parsing... |
| 🟠 High | rack | 2.0.8 | Denial of Service vulnerability |
| 🟡 Medium | nokogiri | 1.13.8 | XML parsing vulnerability |
| 🟢 Low | json | 2.6.1 | JSON parsing issue |
+--------------+----------+---------+---------------------------------------------+
Gem Versions:
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
| Name | Current | Current Released On | Latest | Latest Released On | Behind By(Time) | Behind By(Versions) |
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
| sidekiq | 7.30 | 3/5/2024 | 8.1 | 11/11/2025 | 1 year | 15 |
| rails | 7.0.0 | 12/15/2022 | 7.1.0 | 10/4/2024 | 1 year 10 months | 8 |
| fastimage | 2.2.7 | 2/2/2025 | 2.3.2 | 9/9/2025 | 7 months | 3 |
| nokogiri | 1.13.8 | 5/10/2023 | 1.15.0 | 8/20/2024 | 1 year 3 months | 12 |
| redis | 4.8.0 | 1/15/2023 | 5.0.0 | 11/1/2024 | 1 year 9 months | 20 |
| pg | 1.4.0 | 3/20/2023 | 1.5.0 | 9/15/2024 | 1 year 5 months | 6 |
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
📦 Checking NPM packages... 45/45 ✓
Package Vulnerabilities:
+--------------+---------+---------+-----------------------------------------------+
| Level | Name | Version | Vulnerability |
+--------------+---------+---------+-----------------------------------------------+
| 🔴 Critical | lodash | 4.17.20 | Prototype pollution vulnerability |
| 🟠 High | moment | 2.29.1 | Wrong timezone date calculation |
| 🟡 Medium | axios | 0.21.1 | Server-Side Request Forgery (SSRF) |
| 🟢 Low | debug | 4.3.1 | Regular Expression Denial of Service |
+--------------+---------+---------+-----------------------------------------------+
Package Versions:
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
| Name | Current | Current Released On | Latest | Latest Released On | Behind By(Time) | Behind By(Versions) |
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
| react | 17.0.2 | 3/3/2021 | 18.2.0 | 6/14/2023 | 2 years 3 months | 45 |
| vue | 3.2.0 | 8/5/2021 | 3.3.0 | 5/18/2023 | 1 year 9 months | 8 |
| jquery | 3.7.1 | 4/5/2024 | 3.9.1 | 10/11/2025 | 1 year | 8 |
| express | 4.18.0 | 4/25/2022 | 4.18.2 | 8/15/2023 | 1 year 3 months | 2 |
| webpack | 5.70.0 | 3/1/2022 | 5.88.0 | 6/1/2023 | 1 year 3 months | 18 |
| typescript | 4.7.0 | 5/24/2022 | 5.1.0 | 5/25/2023 | 1 year | 12 |
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
Direct Dependencies Only (with --exclude-dependencies)
When using rubion scan --exclude-dependencies, only direct dependencies are shown:
Gem Versions:
+----------+---------+--------------------------+---------+--------------------------+------------------+-------------------+
| Name | Current | Current version released on | Latest | Latest version released on | Behind By(Time) ↓ | Behind By(Versions) |
+----------+---------+--------------------------+---------+--------------------------+------------------+-------------------+
| **rails**| 7.0.0 | 12/15/2022 | 7.1.0 | 10/4/2024 | 1 year 10 months | 8 |
| **sidekiq**| 7.30 | 3/5/2024 | 8.1 | 11/11/2025 | 1 year | 15 |
| **pg** | 1.4.0 | 3/20/2023 | 1.5.0 | 9/15/2024 | 1 year 5 months | 6 |
+----------+---------+--------------------------+---------+--------------------------+------------------+-------------------+
Note: Direct dependencies (from Gemfile or package.json) are displaye
