Hardcoded RubyGems API in source codeSCT-1029

Using a hardcoded RubyGems API key in the source code can pose a serious security risk as it may give unauthorized access to RubyGems resources, leading to a data breach and financial loss. If an API key has been leaked, you can revoke your API key to mitigate the vulnerability.

Bad practice

require 'rubygems'
require 'gem_name'

RubyGems.api_key = "HARDCODED_API_KEY"

def publish_gem(spec)
  Gem::Package::build(spec)
  Gem::Commands::PushCommand.new.process_args([spec.name + "-" + spec.version.to_s + ".gem"])
end

Recommended

require 'rubygems'
require 'gem_name'
require 'dotenv'
Dotenv.load

RubyGems.api_key = ENV['RUBYGEMS_API_KEY']

def publish_gem(spec)
  Gem::Package::build(spec)
  Gem::Commands::PushCommand.new.process_args([spec.name + "-" + spec.version.to_s + ".gem"])
end