The Brakeman gem is a highly useful tool in keeping your development habits clean.
From their website:
From their website:
Brakeman is a free vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.
Once installed it's pretty easy to have Brakeman checks run on every PR submitted to your repo. GitHub Actions is a quick solution that can help accomplish this.
To create the Github action, create a ".github" directory in the root of your repo. Under this new directory, create a "workflows" directory that will house the .yml files that describe our github action.
In this new directory create a file (I called it brakeman.yml) and place the following contents into it:
name: Bundle Audit
on:
pull_request:
types:
- opened
- edited
- synchronize
jobs:
main:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Ruby 3.2
uses: ruby/setup-ruby@v1
with:
ruby-version: 3.2.1
- name: Cache gems
uses: actions/cache@v1
with:
path: vendor/bundle
key: ${{ runner.os }}-rubocop-${{ hashFiles('**/Gemfile.lock') }}
restore-keys: |
${{ runner.os }}-rubocop-
- name: Install gems
run: |
bundle config path vendor/bundle
bundle config set without 'default doc job cable storage ujs test db'
bundle install --jobs 4 --retry 3
- name: Run Bundle Audit
run: bundle exec bundle-audit
Set the ruby version you are using in the "jobs->main->steps-name->with" section above. Once a PR is checked in, you should see a line for Brakeman show up in the checks that are done before merging.
Ignoring alerts
Not all alerts might be a problem, depending on how your code is structured. To ignore an alert, Brakeman conveniently lets you create a brakeman.ignore file in which you can mark entries as "ignored".
This convenient option allows you to interactively create the brakeman.ignore file.
bundle exec brakeman -I
Follow the prompts and you can manage the contents of the file pretty easily.
