Skip to content

tweak brakeman, bearer output all time #12

tweak brakeman, bearer output all time

tweak brakeman, bearer output all time #12

Workflow file for this run

name: Security Checks
on:
push:
schedule:
- cron: '0 5 * * *'
concurrency:
group: qb-${{ github.ref }}
cancel-in-progress: true #This is temporary to avoid trunk GHA collisions
jobs:
bearer:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ruby/setup-ruby@v1
with:
bundler-cache: true
- name: install bearer
run: |
sudo apt-get install apt-transport-https
echo "deb [trusted=yes] https://apt.fury.io/bearer/ /" | sudo tee -a /etc/apt/sources.list.d/fury.list
sudo apt-get update
sudo apt-get install bearer
- name: run bearer
continue-on-error: true
run: |
bearer scan --quiet --config-file ./bearer.yml .
- name: build bearer report
# if: failure()
run: |
bearer scan --quiet --config-file ./bearer.yml --format html --output bearer.html .
- name: upload bearer failure report
uses: actions/upload-artifact@v4
# if: failure()
with:
name: Security Reports
path: bearer.html
- name: Write to Job Summary
run: cat bearer.html >> $GITHUB_STEP_SUMMARY
brakeman:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# - name: Brakeman code scanning
# continue-on-error: true
# uses: artplan1/brakeman-action@v1.2.1
# with:
# flags: "--color -o /dev/stdout -o output.markdown"
# - name: Brakeman code scanning
# continue-on-error: true
# uses: artplan1/brakeman-action@v1.2.1
# with:
# flags: "--help"
- name: Brakeman code scanning
continue-on-error: true
run: docker run -v "$(pwd)":/code presidentbeef/brakeman -o /dev/stdout -o output.markdown
- name: upload Brakeman failure report
uses: actions/upload-artifact@v4
# if: failure()
with:
name: Security Reports
path: bundler_audit.txt
- name: Write to Job Summary
run: cat output.markdown >> $GITHUB_STEP_SUMMARY
bundler-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ruby/setup-ruby@v1
with:
bundler-cache: true
- name: install bundler-audit
run: |
gem install bundler-audit && bundle-audit update
- name: run bundler-audit
continue-on-error: true
run: |
bundle-audit --output=bundler_audit.txt
- name: upload bundler-audit failure report
uses: actions/upload-artifact@v4
# if: failure()
with:
name: Security Reports
path: bundler_audit.txt
- name: Write to Job Summary
run: cat bundler_audit.txt >> $GITHUB_STEP_SUMMARY