# This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. # This workflow integrates Brakeman with GitHub's Code Scanning feature # Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications name: Brakeman Scan on: push: branches: [ $default-branch, $protected-branches ] pull_request: # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly jobs: brakeman-scan: name: Brakeman Scan runs-on: ubuntu-latest steps: # Checkout the repository to the GitHub Actions runner - name: Checkout uses: actions/checkout@v2 # Customize the ruby version depending on your needs - name: Setup Ruby uses: ruby/setup-ruby@f20f1eae726df008313d2e0d78c5e602562a1bcf with: ruby-version: '2.7' - name: Setup Brakeman env: BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+ run: | gem install brakeman --version $BRAKEMAN_VERSION # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis - name: Scan continue-on-error: true run: | brakeman -f sarif -o output.sarif.json . # Upload the SARIF file generated in the previous step - name: Upload SARIF uses: github/codeql-action/upload-sarif@v1 with: sarif_file: output.sarif.json