-
Notifications
You must be signed in to change notification settings - Fork 510
Brakeman
We use Brakeman on GitHub Actions to alert us to security vulnerabilities in pull requests. You can use Brakeman locally to preview and action the results of this scan.
Note: GitHub Actions' code scanning does not follow Brakeman's ignore file. GitHub supports SARIF, but not the suppressed annotations output by Brakeman. You can still use the ignore file for local runs, following the instructions below.
To run Brakeman and find new security warnings:
brakeman -I
Brakeman will run its checks and then ask you to confirm it has the proper location of the ignore file:
Input file: |/path/to/project/otwarchive/config/brakeman.ignore| Press return to confirm.
Now Brakeman will ask if you want to
1. Inspect all warnings 2. Hide previously ignored warnings 3. Prune obsolete ignored warnings 4. Skip - use current ignore configuration ?
Enter 2 and press return.
It will find any new security issues and ask you what you want to do with the warning. (Note: It might have a lot of deprecation warnings in between the lines here.)
-------- 58/99 --------------- Confidence: Weak Category: Cross Site Scripting Message: Unescaped model attribute Code: ts("<strong>We can answer Support inquiries in %{list}.</strong> Please allow for additional delay for responses in any language other than English.", :list => Language.where(:support_available => true).default_order.map(&:name).to_sentence) File: app/views/feedbacks/new.html.erb Line: 39 Action: (i, n, k, u, a, s, q, ?)
If it's a real issue, you should go back to your code, fix the problem, and run Brakeman again to make sure you've addressed the issue.
However, if it's a false positive, you'll want to add the warning to the ignore file. To do this, enter i and press return.
Sometimes, Brakeman will find existing security warnings that no longer apply and should be removed:
Remove fingerprint?
Enter y and press return to remove it.
Finally, Brakeman will ask you what to do with your changes:
Ignoring 99 warnings Showing 0 warnings 1. Save changes 2. Start over 3. Quit, do not save changes ?
Enter 1 and press return to save.
The next time you run Brakeman, it won't flag that line.
If you have any questions regarding code development, please don't hesitate to send an email to [email protected] and we will try to get back to you as soon as possible!
- Home
- Set Up Instructions
- Docker (All platforms)
- Gitpod (Cloud-based development)
- Linux
- OS X
- Creating Development Data
- Writing and Tracking Code
- Automated Testing
- Architecture
-
Getting Started Guide
- Getting Set Up
- Your First Pull Request
- More About Git
- Jira