It'd be nice to have a cli flag to allow pointing bundler-audit to an arbitrary config file, i.e

bundle-audit --config bundler-config.yml

My use-case for this is that we have a central project auditor that runs against all of our projects and audits them with compatible tools (i.e if there's a package-lock.json it does npm audit, if there's a Gemfile it does bundle-audit, if there's a requirements.txt it does safety, etc).

This tool is managed by our long-term app support team, so maintains its own ignore lists for each project independently of the projects themselves - this means for tools that support config files we explicitly ensure project-level versions of these files are not used when auditing (commonly by pointing at a blank version of that tools config).

Being able to provide an explicit path to the config would allow us to ensure this for bundler-audit, as well as let us maintain ignore lists for each app in their own file without any extra work (this is what we currently do for javascript auditing, since we use audit-app which supports a custom path).

I've not yet played around with v0.8.0, so it's possible that bundler-audit ignores the ignores in the config file if you use the --ignore flag, but there's a number of ways you could interpret having both the --ignore flag + a config (i.e merging vs overriding; + what if I don't have any CVEs to ignore?)

I'm happy to help implement this, but don't know when I'll have the time so opening an issue in-case others want to implement :)

A --config-file option sounds like a generally good feature idea. Currently, there is no --no-ignore or --no-config-file options for disabling any ignored advisory IDs from the config file. The current behavior is that if --ignore is specified, the explicit ignores will override the config file's ignores listed, instead of unioning the two ignore lists together.

@postmodern glad you think so! I've got a PR open implementing this - let me know if you'd like any changes made :)

Merged #306. Had to rebase and squash.

The current behavior is that if --ignore is specified, the explicit ignores will override the config file's ignores listed, instead of unioning the two ignore lists together.

Just to follow up: while that might be true, you can't pass an empty ignore (i.e --ignore by itself results in No value provided for option '--ignore') - imo the best way to support this would be with a --no-config, but it seems that Thor currently doesn't support that natively.

I've left a comment on rails/thor#733 which I think would be the pathway to supporting this in Thor, which'd allow supporting that here by extension.