Brakeman Pro Engine can easily be added to Bitbucket Pipelines to run scans on every push.
Credentials Setup
We recommending setting up the Brakeman Pro Engine username and password as environment variables. Not only is this good security practice, it also allows the credentials to be easily changed in the future if needed.
Bitbucket allows setting pipeline variables at either the account or repository level, depending on your needs. For most organizations, the account level will likely be most convenient so the credentials are shared across all projects.
There is also the option to mark the variables as “secure” so the values will not be shown after being set.
Pipeline Setup
Bitbucket Pipelines are configured by adding bitbucket-pipelines.yml file to the root directory of your code repository.
Note that Bitbucket will walk you through the process if you are adding a new pipeline.
Example configuration, using environment variables set above:
image: ruby:2.4.0
pipelines:
default:
- step:
script:
- gem install brakeman-pro --source https://$BRAKEMAN_PRO_USER:$BRAKEMAN_PRO_PASSWORD@brakemanpro.com/gems/
- brakeman-pro --exit-on-warn --quiet -f plain
Recommended Brakeman Pro options:
--exit-on-warn: This option is important because it will cause the build to fail if any warnings are found--quiet: Removes extraneous output. If not using--quiet,--no-report-progressis recommended instead--f plain: Generates the text-based report
Pipelines in Action
A code commit with Brakeman warnings will look like this in the pipeline:
Ignoring Warnings
It is common to need to ignore some warnings. Read how to ignore false positives.