From 7a6c52de3804620c77d231a11b0372cfcf25f150 Mon Sep 17 00:00:00 2001 From: Mark Tareshawty Date: Sat, 5 Aug 2023 18:26:01 -0400 Subject: [PATCH 1/4] Create brakeman.yml --- .github/workflows/brakeman.yml | 58 ++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/brakeman.yml diff --git a/.github/workflows/brakeman.yml b/.github/workflows/brakeman.yml new file mode 100644 index 00000000..e90ca1fb --- /dev/null +++ b/.github/workflows/brakeman.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Brakeman with GitHub's Code Scanning feature +# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications + +name: Brakeman Scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '17 16 * * 6' + +permissions: + contents: read + +jobs: + brakeman-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Brakeman Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 + + # Customize the ruby version depending on your needs + - name: Setup Ruby + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + with: + ruby-version: '2.7' + + - name: Setup Brakeman + env: + BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+ + run: | + gem install brakeman --version $BRAKEMAN_VERSION + + # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis + - name: Scan + continue-on-error: true + run: | + brakeman -f sarif -o output.sarif.json . + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: output.sarif.json From a9bce39f54cc057021f351f6392e41814a6cd589 Mon Sep 17 00:00:00 2001 From: Mark Tareshawty Date: Sat, 5 Aug 2023 18:43:17 -0400 Subject: [PATCH 2/4] Add rubocop and brakeman to their own subgroups --- Gemfile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 9cd770a8..2e8901d9 100644 --- a/Gemfile +++ b/Gemfile @@ -47,10 +47,16 @@ group :development do gem 'spring-watcher-listen', '~> 2.0.0' gem 'better_errors', '~> 2.5' gem 'binding_of_caller', '~> 0.8.0' + gem 'erb_lint', '~> 0.1.3', require: false +end + +group :development, :linting do gem 'rubocop', '~> 1.28', require: false gem 'rubocop-performance', '~> 1.13', require: false gem 'rubocop-rails', '~> 2.14', require: false - gem 'erb_lint', '~> 0.1.3', require: false +end + +group :development, :security do gem 'brakeman', '~> 4.10', '>= 4.10.1' end From 9571f5504be1f4c006f236857911d0beb1da3637 Mon Sep 17 00:00:00 2001 From: Mark Tareshawty Date: Sat, 5 Aug 2023 18:43:56 -0400 Subject: [PATCH 3/4] Remove Brakeman from ruby_linting --- .github/workflows/ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 36970dd3..17488f7b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -56,10 +56,11 @@ jobs: ruby_linting: runs-on: ubuntu-latest name: Ruby Linting + env: + BUNDLE_ONLY: linting steps: - uses: actions/checkout@v3 - uses: ruby/setup-ruby@v1 with: bundler-cache: true - - run: bundle exec brakeman -q -w2 - run: bundle exec rubocop --format progress --format github From b4f94b53e70a83f0e04c97c32e5ae256703664c0 Mon Sep 17 00:00:00 2001 From: Mark Tareshawty Date: Sat, 5 Aug 2023 18:44:09 -0400 Subject: [PATCH 4/4] Use Brakeman from Gemfile --- .github/workflows/brakeman.yml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/brakeman.yml b/.github/workflows/brakeman.yml index e90ca1fb..b43fa493 100644 --- a/.github/workflows/brakeman.yml +++ b/.github/workflows/brakeman.yml @@ -28,6 +28,8 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Brakeman Scan runs-on: ubuntu-latest + env: + BUNDLE_ONLY: security steps: # Checkout the repository to the GitHub Actions runner - name: Checkout @@ -37,19 +39,13 @@ jobs: - name: Setup Ruby uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 with: - ruby-version: '2.7' - - - name: Setup Brakeman - env: - BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+ - run: | - gem install brakeman --version $BRAKEMAN_VERSION + bundler-cache: true # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis - name: Scan continue-on-error: true run: | - brakeman -f sarif -o output.sarif.json . + bundle exec brakeman -f sarif -o output.sarif.json . # Upload the SARIF file generated in the previous step - name: Upload SARIF