MongoDB Inc.'s Technical And Organization Security Measures state:

5.2. Software Development Lifecycle. ... The SDLC includes regular code reviews, documented policies and procedures for tracking and managing all changes to our code, continuous integration of source code commits, code versioning, static and dynamic code analysis, vulnerability management, threat modeling, and bug hunts, as well as automated and manual source code analysis.

Presumably this requirement applies to driver projects, which are being widely distributed to MongoDB customers. It appears that Mongoid, the Mongo Ruby Driver, and BSON lib are in non-compliance with policy, exposing customers to potential security risks.

As a MongoDB customer, security is a top-priority for me. Although I am agnostic to how this requirement is met, I recommend the team to look at Rubocop, which is the most widely-adopted static code analysis in Ruby open-source. As explained in MONGOID-5287, Rubocop provides a
robust set of security checks, in addition to general code-quality and performance checks, and can be applied in a gradual manner that doesn't require changing any code Day 1.