@@ -15,23 +15,23 @@ is doing each day to keep the ecosystem safe.
1515
1616** RubyGems.org security uses a proactive and multi-layered approach:**
1717
18- 1 . ** Automated detection:** Every gem upload is analyzed using both
19- static and dynamic code analysis, including behavioral checks and
20- metadata review. Much of this capability comes from Mend.io’s
21- supply chain security tooling (originally built by our own Maciej
22- Mensfeld, a maintainer on the RubyGems team).
18+ ** 1. Automated detection:** Every gem upload is analyzed using both
19+ static and dynamic code analysis, including behavioral checks and
20+ metadata review. Much of this capability comes from Mend.io’s
21+ supply chain security tooling (originally built by our own Maciej
22+ Mensfeld, a maintainer on the RubyGems team).
2323
24- 2 . ** Risk scoring:** Each package is given a score. Higher-risk gems
25- are escalated for manual review by a member of our security team.
24+ ** 2. Risk scoring:** Each package is given a score. Higher-risk gems
25+ are escalated for manual review by a member of our security team.
2626
27- 3 . ** Retroactive scanning:** As detection techniques improve, older
28- packages are automatically rescanned, which allows us to catch
29- threats that may have slipped through in the past. (This is how we
30- found the threat actor that Socket.dev later investigated.)
27+ ** 3. Retroactive scanning:** As detection techniques improve, older
28+ packages are automatically rescanned, which allows us to catch
29+ threats that may have slipped through in the past. (This is how we
30+ found the threat actor that Socket.dev later investigated.)
3131
32- 4 . ** External sources:** We sometimes receive alerts from vulnerability
33- databases, industry partners, and cross-registry collaborations,
34- which help us identify patterns across ecosystems.
32+ ** 4. External sources:** We sometimes receive alerts from vulnerability
33+ databases, industry partners, and cross-registry collaborations,
34+ which help us identify patterns across ecosystems.
3535
3636Through steps 1 - 3, our team detects the majority (roughly 70-80%) of
3737malicious packages before they are ever reported to us or the public.
@@ -40,22 +40,22 @@ malicious packages before they are ever reported to us or the public.
4040
4141** Once a gem is flagged, we:**
4242
43- 1 . ** Verify:** A RubyGems security engineer reviews the code to confirm
44- malicious intent (about 95% of flagged packages prove to be
45- legitimate).
43+ ** 1. Verify:** A RubyGems security engineer reviews the code to confirm
44+ malicious intent (about 95% of flagged packages prove to be
45+ legitimate).
4646
47- 2 . ** Double-check:** When there’s any doubt, we seek a second opinion
48- within the team.
47+ ** 2. Double-check:** When there’s any doubt, we seek a second opinion
48+ within the team.
4949
50- 3 . ** Remove:** Confirmed malicious gems are removed via a standardized
51- process in our admin panel.
50+ ** 3. Remove:** Confirmed malicious gems are removed via a standardized
51+ process in our admin panel.
5252
53- 4 . ** Document:** Every action is logged with reasoning for
54- traceability.
53+ ** 4. Document:** Every action is logged with reasoning for
54+ traceability.
5555
56- 5 . ** Protect further:** In some cases, we preemptively block suspicious
57- gem names (for example, ones mimicking company internals) to
58- prevent possible abuse.
56+ ** 5. Protect further:** In some cases, we preemptively block suspicious
57+ gem names (for example, ones mimicking company internals) to
58+ prevent possible abuse.
5959
6060# This Incident
6161
0 commit comments