Ruby
Analyze Ruby projects with FOSSA via RubyGems and Bundler, through Quick Import or the FOSSA CLI, including private Gem sources.
Overview
FOSSA supports Ruby codebases through RubyGems and Bundler. You can analyze a project two ways: Quick Import in the web app, or the FOSSA CLI.
Tool support
| Tool | Quick Import (app.fossa.com) | CLI (fossa-cli) |
|---|---|---|
| bundler | Gemfile, Gemfile.lock or *.gemspec | Gemfile, Gemfile.lock |
| gem | Gemfile | Gemfile.lock |
How Quick Import works
When Ruby code is imported through the web app, FOSSA finds and runs any Gemfile or *.gemspec files and monitors dependency activity.
Note
If a Gemfile.lock is present, FOSSA prefers it for dependency information.
Analyzing with the CLI
For complex Ruby builds, CI/CD scanning with the FOSSA CLI is the ideal integration path.
Install the latest release of fossa-cli:
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bashThen run fossa analyze from your repository's root directory. In CI/CD scanning for Ruby, fossa analyze relies on the output of bundle list to determine what was installed in your build environment. If the bundle list command cannot be executed successfully, it falls back to parsing Gemfile.lock. See the Bundler strategy reference for the full page.
Analysis strategies
| Strategy | Direct Deps | Transitive Deps | Edges | Tags | Container Scanning |
|---|---|---|---|---|---|
| gemfilelock | ✅ | ✅ | ✅ | ✅ | |
| bundleshow | ✅ (unlabeled) | ✅ (unlabeled) | ❌ | ❌ |
- ✅, Supported when relevant data is available
Authenticating to private registries
FOSSA supports fetching private Gems from custom or authenticated sources.
- 1
Open Ruby language settings
Go to Account Settings → Languages → Ruby (
https://app.fossa.com/account/settings/languages/ruby). - 2
Add your credentials
Enter the login credentials FOSSA should use to reach your private Gem source, then save.
Once configured, FOSSA can resolve any previously unreachable Gems.

Package data
For basic metadata, FOSSA parses or evaluates all available metadata files for license and authorship information. This includes Gemfile, Gemfile.lock, and *.gemspec formats.
Since source is generally accessible, FOSSA supports full code auditing on RubyGems and runs license scans and code analysis across all files in a given Gem.