Static Analysis of code

[bagmangood]

Gemsurance currently requires both the ruby version and all of the dependencies installed in order to run the check.

Ideally you could run the check with only needing to install gemsurance

[martinstreicher]

I don't understand this. The Gemfile specifies the Ruby version, too.

[bagmangood]

I was attempting to use gemsurance to generate safety reports in CI. Gemsurance's current mechanisms require all of your project's dependencies to be currently installed.

Ideally you'd be able to only have ruby and gemsurance installed in an environment and still be able to generate the gemsurance report.

[martinstreicher]

So the idea is that it would read Gemfile.lock and use it solely to do its thing?

…

On Dec 6, 2018, at 4:26 PM, Nick Gordon ***@***.***> wrote: I was attempting to use gemsurance to generate safety reports in CI. Gemsurance's current mechanisms require all of your project's dependencies to be currently installed. Ideally you'd be able to only have ruby and gemsurance installed in an environment and still be able to generate the gemsurance report. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#30 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAB6V1vntLhg2Ggph_S3yZaUzcqufe-vks5u2YuFgaJpZM4OF4rJ>.

[bagmangood]

yup - that was what I was aiming for. I think it might require a substantial re-write of the internals, since right now gemsurance leverages bundler's code for wrapping all of the calls to rubygems.

[jonkessler]

I think that could make sense as an additional use case, but I wouldn’t replace the way it’s currently done.