[piggity]

Interesting idea, it looks like you scan the Gemfile.lock (or equivalent) at "deploy" time.

My preference would be to upload that Gemfile.lock to a location, and then it could be scanned as and when new vulnerabilities were detected.

[tomfakes]

The problem with an upload is that you rely on someone to re-upload when they change their Gems. Changing the locked Gems means a re-check is needed, as they might have switched to bad versions.

Making this automatic is the key part - if you don't get burned very often, you'll eventually forget to do the right thing manually and open yourselves to badness.