Skip to main content

Ruby on Rails packaging

Your Ruby on Rails applications must meet specific packaging requirements before you can submit them for scanning.

See Supported languages and platforms for instructions for other platforms.

You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) upload and scan, if licensed. For SCA agent-based scan requirements, see Using Veracode SCA with Programming Languages.

Automated packaging

Auto-packaging simplifies the packaging process for Ruby on Rails projects.

Supported template formats

Veracode supports these template formats for analyzing Ruby on Rails applications:

  • ERB/Erubis
  • HAML
  • Builder

Required files

Veracode requires that you use a custom Veracode RubyGem to package Ruby on Rails applications.

Veracode packaging gem

Before uploading your Ruby on Rails code, Veracode requires you to run a special packaging gem. The gem uses features introduced in Ruby 1.9 to translate your application to an archive format that Veracode can scan. The resulting archive contains this information:

  • Modules and classes, including disassembled instruction sequences for all Ruby methods. Disassembly is not available for methods implemented in C.
  • A log of errors generated by the Veracode gem or other code in your application environment during disassembly.
  • Configuration files for Rails, Bundler, or other common gems.
  • Ruby source and template files.
  • A list of included files.
  • A recursive list of all files in the application directory, including those not contained in the archive.

To prepare your application for analysis:

  1. Ensure that the application can run.
  2. Ensure that you have a functional Rails environment on the system preparing your application.

You can test your system for these requirements by running the rails server command.

Supported Ruby on Rails versions

Rails versionsRuby versions
3.x, 4.x1.9.3, 2.0.x–2.3.x

Packaging guidance

To set up a clean Ruby environment before installing and running the Veracode gem, Veracode recommends you use RVM. After you install RVM, create the Ruby environment by running the following command sequence:

rvm install {your version}
rvm use {your version}@veracode --create

To install the gem, Veracode recommends that you use Bundler. Run the following command to update your gem to the latest version:

railsapp $ bundle update veracode

As an alternative to Bundler, you can install the gem with the install command. After you install RVM and ensure you meet all other application dependencies, run the following command sequence:

rvm install {your version}
rvm use {your version}@veracode --create
gem install veracode

The packaging gem includes the veracode command-line tool that you run in the directory that contains your Rails application. For a list of subcommands and options, run veracode or veracode help.

For the veracode gem to properly analyze and package your application, you must disable the application setting config.cache_classes. You can verify that this setting is disabled in the appropriate environment configuration file. For example, if you are using the development environment, RAILS_ENV=development veracode prepare, validate that config/environments/development.rb contains the line config.cache_classes = false.

YourApp::Application.configure do
config.cache_classes = false

# Log error messages when you accidentally call methods on nil.
config.whiny_nils = true

Package your Ruby on Rails application

You package Ruby on Rails applications with the veracode gem.

To complete this task:

  1. Insert the following dependency in the Gemfile of your application:

    #Add the following to /your/ruby/on/railsapp/Gemfile
    gem 'veracode'

    If you removed the default from your Ruby configuration file, you must restore it.

  2. For Ruby versions earlier than 2.4, you must add the following lines to your Gemfile to specify a compatible version of rubyzip:

    source ''
    gem 'rubyzip', '~>1.0'
  3. Run the following command sequence to install the application dependencies, Rails, and the veracode gem:

    $ cd /your/ruby/on/railsapp
    railsapp $ rvm use {your version}@veracode
    railsapp $ bundle install --without development test # or other non-production dependency groups
  4. Run the following subcommand to create the ZIP archive:

    railsapp $ veracode prepare
  5. In the tmp folder of the application, find the new file named veracode-[application name]-[YYYYmmddHHMMSS timestamp].zip.

  6. Upload the ZIP archive to Veracode.

Using veracode prepare

You can create an archive by running the veracode prepare command with the following sequence:

$ cd /{user-folder}/ruby/on/railsapp
railsapp $ rvm current # validates correct ruby and gemset are being used
railsapp $ veracode prepare

The prepare subcommand uses the following syntax:

veracode prepare
veracode prepare [-h|--help]
veracode prepare [-v|--verbose]

The prepare subcommand creates the archive that you upload to Veracode.

The gem produces an archive in ZIP format and saves it in the tmp folder of the application, for example, /my/ruby/on/railsapp/tmp. The prepare subcommand creates a file named veracode-[application name]-[YYYYmmddHHMMSS timestamp].zip. Upload this file to Veracode.

If an error occurs while preparing the application, you can view the error log at tmp/veracode-[YYYYmmddHHMMSS timestamp]/error.log. Include this file with any support requests you make to Veracode.