Brakeman Pro Engine can easily be set up with Circle CI to run scans on every push.
Credentials Setup
We recommending setting up the Brakeman Pro Engine username and password as environment variables. Not only is this good security practice, it also allows the credentials to be easily changed in the future if needed.
Circle CI will obfuscate the values in the settings as well as hide the values during builds.
Installing Brakeman Pro
If Brakeman Pro is in your Gemfile, this step is unncessary.
Under “Test Commands” > “Dependency Commands”, add Brakeman Pro to the “Post-dependency commands”:
gem install brakeman-pro --source https://$BRAKEMAN_PRO_USER:$BRAKEMAN_PRO_PASSWORD@brakemanpro.com/gems/
This way your inferred dependencies will not be affected.
Running Brakeman Pro
Brakeman Pro should be run as a “Post-test command” to avoid affecting inferred test commands.
In “Test Commands” > “Post-test commands” add:
bundle exec brakeman-pro --exit-on-warn --quiet -f plain
Recommended Brakeman Pro options:
--exit-on-warn: This option is important because it will cause the build to fail if any warnings are found--quiet: Removes extraneous output. If--quietis too quiet,--no-report-progressis recommended instead--f plain: Generates a nice, colored text report
Exporting Artifacts
It is possible to generate a report on Circle CI that can be downloaded and imported into Brakeman Pro Desktop for triage.
In “Test Commands” > “Post-test commands” add:
bundle exec brakeman-pro --exit-on-warn -f plain --quiet --export $CIRCLE_ARTIFACTS/your_app_name
Replace your_app_name with the name of your project. It is easiest to match this with the project name in Brakeman Pro Desktop.
After a build is run, there will be an “Artifacts” tab on the build page.
This file can be imported into Brakeman Pro Desktop.
Report Output
Brakeman Pro reports will be rendered in the Circle CI results on failure.
Ignoring Warnings
It is common to need to ignore some warnings. Read how to ignore false positives.