Merge pull request #16 from robzolkos/add-audits

Add Brakeman
Shpigford · Jan 19, 2024 · ecd7c7a · ecd7c7a
2 parents dd5b674 + 7dbbc76
commit ecd7c7a
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 2 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,24 @@ on:
     branches: [main]
 
 jobs:
+  scan_ruby:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: .ruby-version
+          bundler-cache: true
+
+      - name: Scan for security vulnerabilities in Ruby Dependencies
+        run: |
+          gem install error_highlight -v 0.5.1
+          bin/brakeman
+
   lint:
     runs-on: ubuntu-latest
     steps:

diff --git a/Gemfile b/Gemfile
@@ -68,6 +68,7 @@ group :development do
   gem "error_highlight", ">= 0.4.0", platforms: [ :ruby ]
 
   gem "rubocop-rails-omakase", require: false
+  gem "brakeman"
 end
 
 group :test do

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -129,6 +129,8 @@ GEM
     bindex (0.8.1)
     bootsnap (1.17.0)
       msgpack (~> 1.2)
+    brakeman (6.1.1)
+      racc
     builder (3.2.4)
     capybara (3.39.2)
       addressable
@@ -375,6 +377,7 @@ PLATFORMS
 
 DEPENDENCIES
   bootsnap
+  brakeman
   capybara
   debug
   error_highlight (>= 0.4.0)

diff --git a/app/views/gemfiles/show.html.erb b/app/views/gemfiles/show.html.erb
@@ -17,11 +17,15 @@
             <%= content_for?(:header_title) ? (yield(:header_title)).html_safe : "Gemfile" %>
           </h1>
           <% if @gemfile.app_link.present? %>
-            <%= link_to '<i class="text-xl text-white fa-solid fa-link hover:text-amber-300"></i>'.html_safe, @gemfile.app_link %>
+            <%= link_to "#{@gemfile.app_link}" do %>
+              <i class="text-xl text-white fa-solid fa-link hover:text-amber-300"></i>
+            <% end %>
           <% end %>
 
           <% if @gemfile.github_link.present? %>
-            <%= link_to '<i class="text-xl text-white fa-brands fa-github hover:text-amber-300"></i>'.html_safe, @gemfile.github_link %>
+            <%= link_to "#{@gemfile.github_link}" do %>
+              <i class="text-xl text-white fa-brands fa-github hover:text-amber-300"></i>
+            <% end %>
           <% end %>
         </div>
         <div class="flex items-center text-sm text-white">

diff --git a/bin/brakeman b/bin/brakeman
@@ -0,0 +1,27 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'brakeman' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../Gemfile", __dir__)
+
+bundle_binstub = File.expand_path("bundle", __dir__)
+
+if File.file?(bundle_binstub)
+  if File.read(bundle_binstub, 300).include?("This file was generated by Bundler")
+    load(bundle_binstub)
+  else
+    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
+Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
+  end
+end
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("brakeman", "brakeman")