Circle CI Integration

Brakeman Pro Engine can easily be set up with Circle CI to run scans on every push.

Credentials Setup

We recommending setting up the Brakeman Pro Engine username and password as environment variables. Not only is this good security practice, it also allows the credentials to be easily changed in the future if needed.

Set env variables

Circle CI will obfuscate the values in the settings as well as hide the values during builds.

Installing Brakeman Pro

If Brakeman Pro is in your Gemfile, this step is unncessary.

Install Brakeman Pro

Under “Test Commands” > “Dependency Commands”, add Brakeman Pro to the “Post-dependency commands”:

gem install brakeman-pro --source https://$BRAKEMAN_PRO_USER:$

This way your inferred dependencies will not be affected.

Running Brakeman Pro

Brakeman Pro should be run as a “Post-test command” to avoid affecting inferred test commands.

Run Brakeman Pro

In “Test Commands” > “Post-test commands” add:

bundle exec brakeman-pro --exit-on-warn --quiet -f plain

Recommended Brakeman Pro options:

  • --exit-on-warn: This option is important because it will cause the build to fail if any warnings are found
  • --quiet: Removes extraneous output. If --quiet is too quiet, --no-report-progress is recommended instead
  • --f plain: Generates a nice, colored text report

Exporting Artifacts

It is possible to generate a report on Circle CI that can be downloaded and imported into Brakeman Pro Desktop for triage.

Artifact Setting

In “Test Commands” > “Post-test commands” add:

bundle exec brakeman-pro --exit-on-warn -f plain --quiet --export $CIRCLE_ARTIFACTS/your_app_name

Replace your_app_name with the name of your project. It is easiest to match this with the project name in Brakeman Pro Desktop.

After a build is run, there will be an “Artifacts” tab on the build page.

Artifact Setting

This file can be imported into Brakeman Pro Desktop.

Report Output

Brakeman Pro reports will be rendered in the Circle CI results on failure.

Brakeman Pro Report

Ignoring Warnings

It is common to need to ignore some warnings. Read how to ignore false positives.