zspencer
commented
1 year ago Good call!
Open KellyAH opened 1 year ago
zspencer
commented
1 year ago Good call!
anaulin
commented
1 year ago Will this give us anything more in addition to what we get from Dependabot? I feel like Dependabot is marginally better because it keeps itself up-to-date with the latest CVEs, while Brakeman is a gem that we would have to always keep updating to make sure not to miss anything.
For reference, here are the Dependabot security alerts we've been getting (and resolving): https://github.com/zinc-collective/convene/security/dependabot?q=is%3Aclosed
zspencer
commented
1 year ago The difference between the two is that brakeman provides static analysis, whereas dependabot bumps packages.
anaulin
commented
1 year ago The security side of Dependabot also performs static analysis and sends security alerts.
The only difference I see with Brakeman is that Brakeman can do it on not-checked-in code, while Dependabot only runs on code that's already in the repo.
Here is an example Dependabot security alert for Convene from 3 days ago:
Oh, and Dependabot looks at JavaScript and Ruby issues, while Brakeman I think is Ruby-only.
zspencer
commented
1 year ago Gotcha, so you're suggesting we use the GitHub Code Scanning feature (which uses something called CodeQL under the covers? https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) as opposed to brakeman. I don't have a preference either way.
anaulin
commented
1 year ago @KellyAH would continuing to rely on Dependabot's security alerts satisfy your goals with this ticket?
try running brakeman on PRs to catch changes that are security issues.