AlchemyCMS/alchemy_cms

View on GitHub
.github/workflows/brakeman-analysis.yml

Summary

Maintainability
Test Coverage
# This workflow integrates Brakeman with GitHub's Code Scanning feature
# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications

name: Brakeman Scan

concurrency:
  group: brakeman-${{ github.ref_name }}
  cancel-in-progress: ${{ github.ref_name != 'main' }}

on:
  push:
    branches: [main]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [main]
  schedule:
    - cron: "40 4 * * 2"

jobs:
  brakeman-scan:
    name: Brakeman Scan
    runs-on: ubuntu-latest
    steps:
      # Checkout the repository to the GitHub Actions runner
      - name: Checkout
        uses: actions/checkout@v4

      # Customize the ruby version depending on your needs
      - name: Set up Ruby
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: "3.2"

      - name: Setup Brakeman
        env:
          BRAKEMAN_VERSION: "6.1" # SARIF support is provided in Brakeman version 4.10+
        run: |
          gem install brakeman --version $BRAKEMAN_VERSION

      # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
      - name: Scan
        continue-on-error: true
        run: |
          brakeman -f sarif -o output.sarif.json .

      # Upload the SARIF file generated in the previous step
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: output.sarif.json