Reviews and Audits
This section contains information on the security reviews and audits that have been performed against the RapidRetail codebase, and when possible, a link to their results. The date of the most recent review/audit is also provided.
Semgrep (Continuous, Automated)
Semgrep is an automated platform that provides the following reviews:
- Static scan (SAST)
- Supply chain vulnerability scan (SCA)
- License compatibility scan
SAST
Semgrep SAST rates Ruby and the Rails framework as "generally available", meaning it is mature and commercially supported. Through Semgrep Pro, we additionally have more Pro-exclusive rules that we take advantage of.
SCA
Semgrep SCA supports reachability analysis, which is whether a vulnerable portion of a dependency is used or not in the project. It can also identify malicious dependencies.
Last report
Semgrep is run as part of our CI/CD pipeline, and each merge request is tested before merging to the current branch.
At the time of this writing, 2025-11-13, it has identified 24 issues. 19 have been flagged as "False positive". Four have been flagged as "acceptable risk", which are detailed below:
- lib/active_setting/setting.rb:137
-
Rule violated: avoid html_safe
Reason: We use HTML Settings for HTML content provided by the storefront owner. This is intentional and by-design. -
app/controllers/orders_controller.rb:40
app/controllers/orders_controller.rb:57
app/controllers/orders_controller.rb:59 -
Rule violated: avoid redirect
Reason: This is required to be able to render order success pages for guests.
A full report, including all false positives, can be obtained by any current store owner via WTI Client Care. Interested community members may request a copy of the full report in CSV format via WTI Open Outreach.
glsa-check (Continuous, Automated)
Systems on the Finland hosting platform that run Gentoo Linux sync their
Portage repository nightly. After they complete the sync, each server emails
the output of glsa-check -t affected to the administration team.
When discovered, vulnerabilities are triaged within 24 hours, and resolved on a timetable congruent to the risk.
| Risk Category | Required Time to Fix |
|---|---|
| Critical | 24 hours |
| High | 48 hours |
| Medium | 72 hours |
| Low | 10 days |
Last report
At the time of this writing, 2025-11-13:
host01 ~ # glsa-check -t affected
This system is not affected by any of the listed GLSAs
host02 ~ # glsa-check -t affected
This system is not affected by any of the listed GLSAs
ldap01 ~ # glsa-check -t affected
This system is not affected by any of the listed GLSAs