Tool integration

RuboCop Integration Guide

Ruby static analyzer and formatter with JSON output

Get a Free API Key

Integrate RuboCop with Vulnetix. Lint Ruby code for style violations, security issues, and performance anti-patterns, then upload JSON results.

RubyCLI toolJSON

Install & scan

$ gem install rubocop

# Or add to Gemfile
bundle add rubocop --dev
$ rubocop --format json --out rubocop.json

Run RuboCop in CI

Scan on every push and upload the results to Vulnetix:

- name: Run RuboCop
  run: |
    gem install rubocop
    rubocop --format json --out rubocop.json

- name: Upload to Vulnetix
  run: vulnetix upload --file rubocop.json

How Vulnetix compares — better together

Vulnetix does not replace RuboCop. Keep running it. Vulnetix sits on top of RuboCop — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

CapabilityVulnetixRuboCop
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation~ Lint + Security department cops catch unsafe Ruby patterns; primarily a style/quality analyzer, not a full SAST engine
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git history
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What RuboCop does well

Where Vulnetix adds to it: Vulnetix ingests RuboCop findings into its cross-scanner queue, dedups Ruby code issues against dependency and secret findings, and applies EPSS/KEV exploit-intel prioritisation, reachability, versioned VEX and SSVC policy that RuboCop does not model. Vulnetix's native SAST plus Semgrep adds security-rule depth while RuboCop remains the language-native Ruby linter/formatter it never replaces.

No migration, no rip-and-replace. RuboCop keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise RuboCop results in Vulnetix

Upload RuboCop JSON output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

RuboCop documentation ↗  ·  Source repository ↗

Wire RuboCop into your CI/CD pipeline →