Add brakeman to ci (#695)

* Add brakeman to build in ci. * Ignore CSRF vulnerability till rails upgrades. * Separate workflow for brakeman. * Remove app build in brakeman check workflow. * Install only brakeman gem on brakeman workflow. * Trying with just rubocop gem for rubocop workflow. * obsolete configuration found in .rubocop.yml * Refactor lint.yml. * Build rubocop lint action. * Make lint handle exception true. * Move brakeman gem to lint group.
Hacktoberfest · Oct 22, 2020 · 2bf4527 · 2bf4527
1 parent 7f5b283
commit 2bf4527
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 1 deletion.
diff --git a/.github/workflows/brakeman.yml b/.github/workflows/brakeman.yml
@@ -0,0 +1,20 @@
+name: Brakeman checks
+
+on: [pull_request]
+
+jobs:
+  verify:
+    name: Build
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v1
+    - name: Set up Ruby 2.5
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.5
+    - name: Checking vulnerabilities with Brakeman
+      run: |
+        gem install bundler bundle-only
+        bundle-only lint
+        brakeman --color
diff --git a/Gemfile b/Gemfile
@@ -86,6 +86,7 @@ group :development, :test do
 end
 
 group :lint, :development, :test do
+  gem 'brakeman'
   gem 'rubocop-rails'
 end
 

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -58,6 +58,7 @@ GEM
     bindex (0.8.1)
     bootsnap (1.4.5)
       msgpack (~> 1.0)
+    brakeman (4.10.0)
     builder (3.2.3)
     bulma-rails (0.7.5)
       sassc (~> 2.0)
@@ -386,6 +387,7 @@ DEPENDENCIES
   airbrake (~> 9.4)
   airrecord
   bootsnap (>= 1.1.0)
+  brakeman
   bulma-rails (~> 0.7.5)
   byebug
   capistrano (~> 3.11)

diff --git a/config/brakeman.ignore b/config/brakeman.ignore
@@ -0,0 +1,22 @@
+{
+  "ignored_warnings": [
+    {
+      "warning_type": "Cross-Site Request Forgery",
+      "warning_code": 116,
+      "fingerprint": "c8697fda60549ca065789e2ea74c94effecef88b2b5483bae17ddd62ece47194",
+      "check_name": "CSRFTokenForgeryCVE",
+      "message": "Rails 5.2.3 has a vulnerability that may allow CSRF token forgery. Upgrade to Rails 5.2.4.3 or patch",
+      "file": "Gemfile.lock",
+      "line": 230,
+      "link": "https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw",
+      "code": null,
+      "render_path": null,
+      "location": null,
+      "user_input": null,
+      "confidence": "Medium",
+      "note": ""
+    }
+  ],
+  "updated": "2020-10-17 18:38:16 +0100",
+  "brakeman_version": "4.10.0"
+}
diff --git a/script/test b/script/test
@@ -16,4 +16,4 @@ script/update
 
 echo "==> Running tests…"
 
-bundle exec rspec && rubocop
+bundle exec rspec && rubocop && brakeman --color
-Original file line number
+Diff line change
@@ Expand Up / @@ -86,6 +86,7 @@ group :development, :test do @@
     end
     group :lint, :development, :test do
+      gem 'brakeman'
       gem 'rubocop-rails'
     end
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
Expand Up		@@ -16,4 +16,4 @@ script/update

		echo "==> Running tests…"

		bundle exec rspec && rubocop
		bundle exec rspec && rubocop && brakeman --color