-
-
Save rebelweb/19b3cb705a8058128579 to your computer and use it in GitHub Desktop.
| ENV["RAILS_ENV"] ||= 'test' | |
| require 'spec_helper' | |
| require File.expand_path("../../config/environment", __FILE__) | |
| require 'rspec/rails' | |
| require 'brakeman' | |
| ActiveRecord::Migration.maintain_test_schema! | |
| RSpec.configure do |config| | |
| config.use_transactional_fixtures = true | |
| config.infer_spec_type_from_file_location! | |
| #Use this for a Rails Application | |
| config.after(:suite) {Brakeman.run app_path: "#{Rails.root}", output_files: ['brakeman.html']} | |
| #Use this for a Rails Engine | |
| config.after(:suite) {Brakeman.run app_path: "#{MyEngine::Engine.root}", output_files: ['brakeman.html']} | |
| end |
Excellent start. Really need the brakeman process to FAIL the rspec run if ANY High confidence warnings are present.
Planning to run yet another process to check the json output for any High confidence security warnings.
Found more examples online - here's how we connected the Brakeman result to rspec result:
#Use this for a Rails Application
config.after(:suite) do
example_group = RSpec.describe('Brakeman Issues')
example = example_group.example('must have 0 Critical Security Issues') do
res=Brakeman.run app_path: "#{Rails.root}", output_files: ['brakeman.html']
serious=res.warnings.count { |w| w.confidence==0 }
puts "\n\nBrakeman Result:\n Critical Security Issues = #{serious}"
expect(serious).to eq 0
end
example_group.run
passed = example.execution_result.status == :passed
RSpec.configuration.reporter.example_failed example unless passed
end
If you want to discarded ignored critical warnings, line about the count the serious warnings should be something like:
serious =res.filtered_warnings.count { |w| w.confidence==0 }
@heliocola I haven't done any serious Ruby on Rails development in a couple of years. So this is pretty stale on my end. Thanks for adding info for others who see this thread.
From what I can see that is still one way to do this, so THANK YOU!
There is also a way to run this via CircleCI command bundle exec brakeman.
IMHO: this absolutely aged very, very well!
Thanks for pointing that out. The documentation has been updated!