[brynary]

If anyone has any questions about Code Climate, Security Monitor, or how all this works, let me know.

[danielpal]

Yeah could you explain a bit more in-depth how the security monitor works? What sort of vulnerabilities it catches etc.

PS. The site looks great, I am importing my first repository right now. Great job!

[brynary]

Absolutely. It's all static analysis -- so we're pulling all the information we can out of the codebase without running the code. Under the hood, it's based on the Brakeman open source tool: https://github.com/presidentbeef/brakeman

It looks for all the big issues (XSS, CSRF, SQLi). In many cases it means keeping track of where user input enters the system (e.g. params) and how it is eventually used. So if you interpolate a param into a string and then give that string to ActiveRecord, it will produce a warning with high confidence you're vulnerable to SQL injection.

We run it every 2-3 hours on your repo, then look for new things that come up and send out alerts.

More info about Security Monitor is here: https://codeclimate.com/security-monitor