Skip to content
This repository has been archived by the owner on May 29, 2024. It is now read-only.

Adding static code analysis orb to run Brakeman scans and reports #103

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

psalerno
Copy link

This PR adds CircleCI jobs from an orb that the security team created that runs scans with Brakeman, a static code analysis tool that finds security issues in Ruby on Rails. For each new warning it finds, it does three things:

  1. Creates a GitHub issue in that repo with all of the information about that Brakeman warning. See here for an example. Once an issue has been created for a warning, it won’t be recreated by a subsequent scan (as long as the fingerprint of the warning hasn’t changed).
  2. Sends a Slack alert to the security team telling us this new issue got created so we can investigate it.
  3. Adds that GitHub issue to a GitHub project that allows the security team to track open vulnerabilities.

The confidence level of the Brakeman scan is configurable in the orb parameters, but it defaults to only “high” confidence issues for now.

This PR has the orb running nightly as a scheduled pipeline on CircleCI. We use a scheduled pipeline since pipelines can be run as specific users, and we need to run the CircleCI job as a user who has access to the restricted context used by the orb. Once this PR is merged, I'll create the scheduled pipeline in CircleCI to run as the security team's machine user.

…n, and if it finds new warnings it turns them into GitHub issues and notifies the security team about them. Runs nightly as a scheduled pipeline.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant