brakeman.yml

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# This workflow integrates Brakeman with GitHub's Code Scanning feature
# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications

name: Brakeman Scan

on:
  push:
    branches: [ $default-branch, $protected-branches ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ $default-branch ]
  schedule:
    - cron: $cron-weekly

permissions:
  contents: read

jobs:
  brakeman-scan:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
    name: Brakeman Scan
    runs-on: ubuntu-latest
    steps:
    # Checkout the repository to the GitHub Actions runner
    - name: Checkout
      uses: actions/checkout@v3

    # Customize the ruby version depending on your needs
    - name: Setup Ruby
      uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf
      with:
        ruby-version: '2.7'

    - name: Setup Brakeman
      env:
        BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+
      run: |
        gem install brakeman --version $BRAKEMAN_VERSION

    # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
    - name: Scan
      continue-on-error: true
      run: |
        brakeman -f sarif -o output.sarif.json .

    # Upload the SARIF file generated in the previous step
    - name: Upload SARIF
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: output.sarif.json