Contents

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# This workflow integrates Brakeman with GitHub's Code Scanning feature
# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications

name: Brakeman Scan

on:
  push:
    branches: [ main ]
    paths-ignore:
      - 'doc/**'
      - 'README.md'
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ main ]
  schedule:
    # cron format: 'minute hour dayofmonth month dayofweek'
    # this will run at noon UTC each Monday (7am EST / 8am EDT)
    - cron: '0 12 * * 1'

permissions:
  contents: read
  security-events: write

jobs:
  brakeman-scan:
    name: Brakeman Scan
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - uses: ./.github/actions/setup-languages

    # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
    - name: Scan
      continue-on-error: true
      run: |
        bundle exec brakeman -f sarif -o output.sarif.json .

    # Upload the SARIF file generated in the previous step
    - name: Upload SARIF
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: output.sarif.json

Version data entries

2 entries across 2 versions & 1 rubygems

Version	Path
rails_template_18f-1.1.0	lib/generators/rails_template18f/github_actions/templates/github/workflows/brakeman-analysis.yml
rails_template_18f-1.0.0	lib/generators/rails_template18f/github_actions/templates/github/workflows/brakeman-analysis.yml