From ac14d19ec73a221cceaf46e80264d797733e8cd4 Mon Sep 17 00:00:00 2001
From: Paul Salerno <paul.salerno@appfolio.com>
Date: Tue, 15 Nov 2022 17:42:24 -0800
Subject: [PATCH] Adding static code analysis scans to CircleCI config. It runs
 Brakeman, and if it finds new warnings it turns them into GitHub issues and
 notifies the security team about them. Runs nightly as a scheduled pipeline.

---
 .circleci/config.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 88a61fe..68366c5 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,4 +1,7 @@
 version: 2.1
+orbs:
+  static-code-analysis: appfolio/static-code-analysis@volatile
+
 jobs:
   build-and-test:
     docker:
@@ -67,6 +70,22 @@ jobs:
 workflows:
   version: 2.1
   rc:
+    when:
+      not:
+        equal: [ scheduled_pipeline, << pipeline.trigger_source >> ]
     jobs:
       - build-and-test:
           context: appfolio_test_context
+  nightly-static-code-security-analysis:
+    # Configure trigger at https://app.circleci.com/settings/project/github/appfolio/ladle/triggers
+    when:
+      and:
+        - equal: [ scheduled_pipeline, << pipeline.trigger_source >> ]
+        - equal: [ "Nightly static code security analysis", << pipeline.schedule.name >> ]
+    jobs:
+      - static-code-analysis/scan:
+          context: appfolio_static-code-analysis
+      - static-code-analysis/report:
+          context: appfolio_static-code-analysis
+          requires:
+            - static-code-analysis/scan