Dawnscanner is a source code scanner designed to review your ruby code for security issues. Dawnscanner is able to scan plain ruby scripts (e.g. command line applications) but all its features are unleashed when dealing with web applications source code. It supports major MVC (Model View Controller) frameworks, out of the box:
dawnscanner rubygem is cryptographically signed. To be sure the gem you install hasn’t been tampered, you must first add paolo@dawnscanner.org public signing certificate as trusted to your gem specific keyring.
$ gem cert --add <(curl -Ls https://raw.githubusercontent.com/thesp0nge/dawnscanner/master/certs/paolo_at_dawnscanner_dot_org.pem)
You can install latest dawnscanner version, fetching it from rubygems.org by typing:
$ gem install dawnscanner -P MediumSecurity
The MediumSecurity trust profile will verify signed gems, but allow the installation of unsigned dependencies. This is necessary because not all of Dawn’s dependencies are signed, so we cannot use HighSecurity.
In order to install a release candidate version, the gem install command line is the following:
$ gem install dawnscanner --pre -P MediumSecurity
If you want to add dawn to your project Gemfile, you must add the following:
group :development do
gem 'dawnscanner', :require=>false
end
And then upgrade your bundle
$ bundle install
You may want to build it from source, so you have to check it out from github first:
$ git clone https://github.com/thesp0nge/dawnscanner.git
$ cd dawnscanner
$ bundle install
$ rake install
And the dawnscanner gem will be built in a pkg directory and then installed on your system. Please note that you have to manage dependencies on your own this way. It makes sense only if you want to hack the code or something like that.
In a connected world like ours, bad guys who want to stole informations and make us out of business are there behind the corner. You want your customers to be confident using your web application, so you must provide them a reliable and secure product.
With dawnscanner you can scan your ruby code for security issues. With more than 190 security checks in its knowledge base, dawnscanner can help you in identifying security issues before you ship your product.
dawnscanner is built with security in mind to provide you:
README.md file you can find in the source code is the best documentation you can have about dawnscanner. It explains almost everything about using the tool. A condensed documentation is also available launching the tool with the --help flag.
Dawnscanner is opensource and has a project on git, so check that out if you want to report bugs or create a pull request. If you have any questions, thoughts, concerns or feedback, please don't hesitate to email me at paolo@dawnscanner.org.