Merge pull request #334 from chaynHQ/add-brakeman-workflow

Add Brakeman workflow
chaynHQ · Aug 6, 2023 · 51968c1 · 51968c1
2 parents d8b5e51 + b4f94b5
commit 51968c1
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 2 deletions.
diff --git a/.github/workflows/brakeman.yml b/.github/workflows/brakeman.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates Brakeman with GitHub's Code Scanning feature
+# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
+
+name: Brakeman Scan
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  schedule:
+    - cron: '17 16 * * 6'
+
+permissions:
+  contents: read
+
+jobs:
+  brakeman-scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Brakeman Scan
+    runs-on: ubuntu-latest
+    env:
+      BUNDLE_ONLY: security
+    steps:
+    # Checkout the repository to the GitHub Actions runner
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    # Customize the ruby version depending on your needs
+    - name: Setup Ruby
+      uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
+      with:
+        bundler-cache: true
+
+    # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
+    - name: Scan
+      continue-on-error: true
+      run: |
+        bundle exec brakeman -f sarif -o output.sarif.json .
+
+    # Upload the SARIF file generated in the previous step
+    - name: Upload SARIF
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: output.sarif.json
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -56,10 +56,11 @@ jobs:
   ruby_linting:
     runs-on: ubuntu-latest
     name: Ruby Linting
+    env:
+      BUNDLE_ONLY: linting
     steps:
     - uses: actions/checkout@v3
     - uses: ruby/setup-ruby@v1
       with:
         bundler-cache: true
-    - run: bundle exec brakeman -q -w2
     - run: bundle exec rubocop --format progress --format github
diff --git a/Gemfile b/Gemfile
@@ -47,10 +47,16 @@ group :development do
   gem 'spring-watcher-listen', '~> 2.0.0'
   gem 'better_errors', '~> 2.5'
   gem 'binding_of_caller', '~> 0.8.0'
+  gem 'erb_lint', '~> 0.1.3', require: false
+end
+
+group :development, :linting do
   gem 'rubocop', '~> 1.28', require: false
   gem 'rubocop-performance', '~> 1.13', require: false
   gem 'rubocop-rails', '~> 2.14', require: false
-  gem 'erb_lint', '~> 0.1.3', require: false
+end
+
+group :development, :security do
   gem 'brakeman', '~> 4.10', '>= 4.10.1'
 end