Add brakeman to build in ci.

[razanjoshi]

Description

Brakeman is a free vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.

Findings By running Brakeman, found one security vulnerability which is Cross-Site Request Forgery This is a low-severity security issue. As such, no workaround is necessary until such time as the application can be upgraded.

After this finding, one of the technical debt ticket could be a Rails Upgrade one.

Requirements to merge

• [x] My code follows the style guidelines of this project
• [x] I have performed a self-review of my own code
• [ ] I have commented my code in hard-to-understand areas
• [x] My changes generate no new warnings
• [ ] I have added tests that prove my fix is effective or that my feature works
• [x] New and existing unit tests pass locally with my changes

[MattIPv4]

Also, thoughts on adding this as a separate job/workflow in Actions? It currently runs as part of the RSpec workflow, but isn't RSpec, which might confuse some folks?

[MattIPv4]

Does brakeman require the app be running, or have gems installed?

[razanjoshi]

Does brakeman require the app be running, or have gems installed?

Ya, the app does not need to be running but needs gems installed though. Made the changes. Thanks for the review 🙇

[MattIPv4]

Does it need the full bundle installed, or would it work just installing the single brakeman gem? (Our full bundle takes quite a while to install)

[razanjoshi]

@MattIPv4 Thanks for the suggestion, it is super fast ⏩ now 🙂

[MattIPv4]

Thoughts on doing the same for the rubocop workflow while we're here?

[MattIPv4]

Imo, I think it'd be better to use the gem ourselves, rather than an action, so that we are in control of what version is being used etc.

So that we're consistent with what would be run locally, would it make sense to create a new group(s) in the bundle for brakeman & rubocop -- so that they exist in development & testing, but also their own custom groups so that only that group can be installed in CI?

[razanjoshi]

@MattIPv4 I think for some reason using just rubocop without bundling others won't use the .rubocop.yml exclusions hence offenses are appearing here: https://github.com/digitalocean/hacktoberfest/runs/1276693227

[MattIPv4]

That feels like its likely a versioning issue -- I think using a gemfile custom group like in https://github.com/digitalocean/hacktoberfest/pull/701/files would allow us to correctly control the versions of brakeman, rubocop etc.