Closed razanjoshi closed 3 years ago
Also, thoughts on adding this as a separate job/workflow in Actions? It currently runs as part of the RSpec workflow, but isn't RSpec, which might confuse some folks?
Does brakeman require the app be running, or have gems installed?
Does brakeman require the app be running, or have gems installed?
Ya, the app does not need to be running but needs gems installed though. Made the changes. Thanks for the review 🙇
Does it need the full bundle installed, or would it work just installing the single brakeman gem? (Our full bundle takes quite a while to install)
@MattIPv4 Thanks for the suggestion, it is super fast ⏩ now 🙂
Thoughts on doing the same for the rubocop workflow while we're here?
Imo, I think it'd be better to use the gem ourselves, rather than an action, so that we are in control of what version is being used etc.
So that we're consistent with what would be run locally, would it make sense to create a new group(s) in the bundle for brakeman & rubocop -- so that they exist in development & testing, but also their own custom groups so that only that group can be installed in CI?
@MattIPv4 I think for some reason using just rubocop without bundling others won't use the .rubocop.yml
exclusions hence offenses are appearing here: https://github.com/digitalocean/hacktoberfest/runs/1276693227
That feels like its likely a versioning issue -- I think using a gemfile custom group like in https://github.com/digitalocean/hacktoberfest/pull/701/files would allow us to correctly control the versions of brakeman, rubocop etc.
Description
Brakeman is a free vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.
Findings
By running Brakeman, found one security vulnerability which is Cross-Site Request Forgery
This is a low-severity security issue. As such, no workaround is necessary until such time as the application can be upgraded.
After this finding, one of the technical debt ticket could be a Rails Upgrade one.
Requirements to merge