Ruby

Analyze Ruby projects with FOSSA via RubyGems and Bundler, through Quick Import or the FOSSA CLI, including private Gem sources.

2 min readUpdated Jul 9, 2026

Overview

FOSSA supports Ruby codebases through RubyGems and Bundler. You can analyze a project two ways: Quick Import in the web app, or the FOSSA CLI.

Tool support

ToolQuick Import (app.fossa.com)CLI (fossa-cli)
bundlerGemfile, Gemfile.lock or *.gemspecGemfile, Gemfile.lock
gemGemfileGemfile.lock

How Quick Import works

When Ruby code is imported through the web app, FOSSA finds and runs any Gemfile or *.gemspec files and monitors dependency activity.

Note

If a Gemfile.lock is present, FOSSA prefers it for dependency information.

Analyzing with the CLI

For complex Ruby builds, CI/CD scanning with the FOSSA CLI is the ideal integration path.

Install the latest release of fossa-cli:

Shell
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash

Then run fossa analyze from your repository's root directory. In CI/CD scanning for Ruby, fossa analyze relies on the output of bundle list to determine what was installed in your build environment. If the bundle list command cannot be executed successfully, it falls back to parsing Gemfile.lock. See the Bundler strategy reference for the full page.

Analysis strategies

StrategyDirect DepsTransitive DepsEdgesTagsContainer Scanning
gemfilelock
bundleshow✅ (unlabeled)✅ (unlabeled)
  • ✅, Supported when relevant data is available

Authenticating to private registries

FOSSA supports fetching private Gems from custom or authenticated sources.

  1. 1

    Open Ruby language settings

    Go to Account Settings → Languages → Ruby (https://app.fossa.com/account/settings/languages/ruby).

  2. 2

    Add your credentials

    Enter the login credentials FOSSA should use to reach your private Gem source, then save.

Once configured, FOSSA can resolve any previously unreachable Gems.

Ruby private Gem source credentials in Account Settings

Package data

For basic metadata, FOSSA parses or evaluates all available metadata files for license and authorship information. This includes Gemfile, Gemfile.lock, and *.gemspec formats.

Since source is generally accessible, FOSSA supports full code auditing on RubyGems and runs license scans and code analysis across all files in a given Gem.

© 2026 FOSSA, Inc.support@fossa.com