ci: Add bundler-audit dependency scan to CI workflow (WA-CI-014)

[kitcommerce]

Fixes #1046

Adds a dedicated bundler-audit (bundle-audit) job to CI so every PR is scanned for known Ruby gem CVEs.

Client Impact

None — CI-only change.

[kitcommerce]

Architecture Review

Verdict: PASS ✅

Reviewer: architecture
Wave: 1
Scope: Structural integrity, layer boundaries, module coupling, separation of concerns

---

Analysis

This PR modifies a single file: . It adds a standalone CI job.

Checklist:

• New imports: N/A (CI YAML, not application code)
• New types/modules: None
• Protocol conformances: None
• Cross-layer calls: None
• New files: None (in-place YAML edit only)
• Deleted abstractions: None

The new job is a leaf node in the CI DAG — it has no needs: dependencies and no other job depends on it. It is architecturally isolated. The job does not introduce any coupling to application code, nor does it alter how existing CI jobs are structured or sequenced.

The decision to run bundler-audit as a separate job (rather than embedding it in an existing job like static_analysis) is sound: it keeps concerns separated, failure is independently reportable, and the job can be tuned (timeout, Ruby version) without touching unrelated CI work. The issue notes this as a follow-up consideration to evaluate the static_analysis matrix — the current standalone approach is the right first step.

No architectural findings.

---

No findings to report. Change is structurally clean.

[kitcommerce]

Simplicity Review

Verdict: PASS ✅

Reviewer: simplicity
Wave: 1
Scope: YAGNI, over-engineering, unnecessary abstraction, accidental complexity

---

Analysis

The change adds 28 lines of CI YAML for a bundler_audit job. Evaluating against YAGNI and complexity criteria:

Checklist:

• New protocols/abstractions: None
• New generics: None
• New base classes: None
• New configuration/strategy/factory patterns: None
• New abstract layers: None
• Scaffolding proportionality: 28 lines to add a security scan job — proportionate

Observations:

The job is minimal and direct: checkout → setup Ruby → install gem → update advisory DB → run check. Each step has exactly one responsibility. There is no unnecessary indirection, no configuration options that aren't used, and no future-proofing beyond what's needed.

The --config .bundler-audit.yml flag references an acknowledgment file that may not exist yet on the next branch. This is forward-looking but not over-engineered — it's the correct pattern for bundler-audit (the tool supports it natively, and the comment in the YAML explains the intended use case). This is appropriate complexity, not accidental complexity.

The 10-minute timeout is a reasonable upper bound for this kind of task and keeps CI predictable.

No simplicity findings.

---

Change is proportionate to the problem it solves. No YAGNI or over-engineering detected.

[kitcommerce]

Security Review

Verdict: PASS ✅

Reviewer: security
Wave: 1
Scope: Secrets, auth, data exposure, input validation, injection, cryptography, supply chain

---

Analysis

This PR is a CI YAML-only change. Security review focuses on CI supply-chain hygiene and the configuration of the new job.

Checklist:

• Secrets in code: None
• Authentication/authorization changes: None
• Data exposure: None
• Input validation changes: None
• Insecure storage: None
• Injection risks: None
• Cryptographic changes: None
• Third-party exposure: None

Supply-chain safety (positive findings):

Both GitHub Actions are pinned to commit SHAs rather than mutable tags:

• actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
• ruby/setup-ruby@4eb9f110bac952a8b68ecf92e3b5c7a987594ba6

This is a security best practice — it prevents a compromised or force-pushed tag from silently executing different code in CI. The comments labeling the version (# ruby/setup-ruby v1.292.0) maintain human readability. This is exactly the right pattern.

Advisory database update:

The bundle-audit update step pulls the latest ruby-advisory-db before scanning. This is correct — without it, the scan would be stale and potentially miss recent CVEs. The trade-off (network call in CI) is entirely appropriate.

gem install bundler-audit:

Installing via gem install without a pinned version means the latest bundler-audit will be fetched each run. This is a minor supply-chain surface: if the bundler-audit gem were ever compromised, CI would pick it up automatically. A LOW-severity note, but not a blocking finding given that bundler-audit is a well-maintained security tool with a small attack surface. Consider pinning via gem install bundler-audit -v X.Y.Z in a future iteration.

Overall: The job is well-constructed from a security standpoint. SHA pinning of actions is exemplary. The unpinned gem install is a LOW hygiene note, not a blocker.

---

Findings: 1 (LOW, non-blocking)
Recommend merge. LOW finding may be addressed in a follow-up.

[kitcommerce]

Rails Conventions Review

Verdict: PASS ✅

Reviewer: rails-conventions
Wave: 1
Scope: Rails idioms, convention over configuration, ActiveRecord patterns, REST purity, controller/model design

---

Analysis

This PR modifies only — a CI pipeline file with no Rails application code. There are no controllers, models, concerns, callbacks, scopes, routes, or ActiveRecord queries to evaluate.

Checklist:

• Controller actions: N/A
• Model methods: N/A
• Service objects: N/A
• Callbacks: N/A
• Route additions: N/A
• Concern inclusions: N/A
• ActiveRecord queries: N/A
• Rails abstractions: N/A

CI conventions note (positive):

The job name follows the existing CI file's naming convention (snake_case job IDs, kebab-case display names), consistent with the other jobs in . The step naming is clear and imperative (Install bundler-audit, Update advisory database, Run bundler-audit), matching the style of existing steps.

No Rails conventions findings. This reviewer scope does not apply to CI infrastructure files.

---

No application code changed. Rails conventions review is not applicable. Change is CI-hygiene only.

[kitcommerce]

Wave 2 Review Summary

Wave: 2 (rails-security, database, test-quality)
Gate: ✅ PASS — all three reviewers green

---

🔐 Rails-Security Review — PASS_WITH_NOTES

SHA Pinning: ✅ Verified correct

• actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 → exactly matches the v4 tag
• ruby/setup-ruby@4eb9f110bac952a8b68ecf92e3b5c7a987594ba6 → exactly matches the v1.292.0 tag

Permissions: ✅ Covered

• Top-level permissions: contents: read in ci.yml applies to all jobs including bundler_audit. No job-level override needed.

Notes (non-blocking):

1. gem install bundler-audit is unpinned — installs latest from RubyGems at runtime with no version constraint. This is a mild supply-chain concern. The static_analysis job already runs bundle exec bundler-audit via the Gemfile.lock (pinned), so the new standalone job uses a less-controlled install path. Consider gem install bundler-audit --version '~> 0.9' or moving to bundle exec style.
2. Duplication — bundler-audit now runs in two CI jobs (static_analysis via bundle exec, and the new bundler_audit standalone job). This doubles CVE scan time without additional coverage. The new job is the cleaner dedicated check, but the team may want to remove the scan from static_analysis to avoid redundancy.

---

🗄️ Database Review — PASS

No database schema, migration, or query changes. This is a CI-only workflow addition.

Advisory database caching: bundle-audit update fetches ruby-advisory-db from GitHub on each run. No GH Actions cache configured, which means ~5–10s network overhead per run and theoretical rate-limit risk on very busy days. Non-blocking — acceptable for current CI volume.

---

🧪 Test-Quality Review — PASS

Step order: ✅ Correct — bundle-audit update (fetches latest CVE advisories) runs before bundle-audit check (scans against those advisories). This is the required and documented workflow.

.bundler-audit.yml: ✅ Exists — file is present on both the PR branch and next (2,824 bytes). Not a blocker.

Job structure assessment: Well-formed. timeout-minutes: 10 is appropriate. The inline comment in the Run bundler-audit step explaining how to fix failures and use acknowledgments is good operational documentation.

Minor note: The --update flag on bundle-audit check (used in static_analysis) would collapse update+check into one step. The two-step approach in bundler_audit is also valid and arguably more legible.

---

Wave 2 Verdict: ✅ GATE PASS

All three reviewers passed. No blocking findings. Two low-severity notes for the team's consideration (unpinned gem install, job duplication) — neither requires changes before merge.

[kitcommerce]

Wave 3 Gate Result ✅ PASS

Auto-generated by Kit (OpenClaw review pipeline) · Wave 3 of 4 · 2026-03-17T05:55:30Z

Reviewer	Verdict	Notes
performance	PASS	CI-only workflow change — no application performance impact
accessibility	PASS	CI-only change — no UI or user-facing surface
frontend	PASS	CI-only change — no JS/HTML/Stimulus/Turbo changes

All three Wave 3 reviewers passed. Proceeding to Wave 4 (documentation).

[kitcommerce]

Wave 4 Documentation Review

Notes: The added workflow steps already include helpful inline comments (pin rationale + what a failure means and how to remediate), which is great for future maintainers.

[kitcommerce]

Wave 4 Documentation Review

{
  "reviewer": "documentation",
  "verdict": "PASS_WITH_NOTES",
  "severity": null,
  "summary": "Workflow change is well-commented and PR description is clear; only minor verification note.",
  "findings": [
    {
      "severity": "LOW",
      "file": ".github/workflows/ci.yml",
      "line": 72,
      "issue": "PR description explains what/why, but does not include explicit 'how to verify' steps (e.g., how to confirm the new bundler-audit job runs).",
      "suggestion": "Add a short verification note in the PR body (for example: re-run CI on this PR and confirm the new 'bundler-audit' job appears and passes/fails as expected)."
    }
  ]
}

Notes: The added workflow steps already include helpful inline comments (pin rationale + what a failure means and how to remediate), which is great for future maintainers.

[kitcommerce]

✅ All Review Waves Passed

All reviewers returned PASS or PASS_WITH_NOTES. This PR is merge-ready.

• Wave 1 (Foundation): ✅
• Wave 2 (Correctness): ✅
• Wave 3 (Quality): ✅
• Wave 4 (Documentation): ✅

Labeled merge:ready. Awaiting auto-merge (hold window: 60 min).