The open source Jenkins CI server can be used to automate Brakeman Pro scans.
The Brakeman Pro Engine is compatible with the Jenkins Brakeman Plugin starting with plugin version 0.10.
Installing the Plugin
To install the Brakeman Plugin in your Jenkins server, navigate to Jenkins > Manage Jenkins > Manage Plugins.
Click the Available tab. Use the filter to search for brakeman.
Check the box to select the plugin. Then click “Install without restart”.
Freestyle Projects
To use Brakeman Pro in a “freestyle project”, it is necessary to set up a new build step and a post-build action.
Build Step
At a minimum, Ruby needs to be available on the Jenkins server. Below we assume rvm is installed with Ruby 2.3.1. It should be straightforward to adopt these instructions to your environment.
In the job configuration, click Add build step and select Execute shell.
In the shell script, the job needs to install Brakeman Pro and run a scan.
Here we use rvm to create a separate gemset, install Brakeman Pro, and run a scan:
bash -l -c '
rvm gemset use brakeman-pro --create &&
gem install brakeman-pro --source https://USERNAME:PASSWORD@brakemanpro.com/gems/ &&
brakeman-pro -f pro -o brakeman-output.json --no-progress
'
Replace USERNAME and PASSWORD with your credentials.
For the best results, use the pro output format. This can be specified with -f pro or with an output file ending in .pro.
Publishing Results
After the build, the results can be published to the Brakeman plugin.
Click Add post-build step and select Publish Brakeman warnings
Set the Brakeman Output File to match the shell command (in this case, brakeman-output.json).
See the Advanced... button for more options.
Pipeline Projects
Projects utilizing the pipeline plugin can use the publishBrakeman step.
Configuring Pipeline
The two main steps for running Brakeman Pro in Jenkins are running the scan and publishing results.
Here is an example of pipeline code to run Brakeman Pro:
stage 'Brakeman Scan'
sh 'brakeman-pro -f pro -o brakeman-output.json'
publishBrakeman 'brakeman-output.json'
This code assumes brakeman-pro is already available on the Jenkins server machine.
For the best results, use the pro output format. This can be specified with -f pro or with an output file ending in .pro.
Brakeman Pro Warnings
Brakeman Pro scan results indicating the number of new and fixed warnings should appear on the job build page.
Note: by default, new warnings will cause a build to fail.
There are a number of ways to view the warnings, including by type, severity, and file name.
It is also possible to view the code that generated the warning.
More Information
A much more advanced pipeline setup with Docker is explained here.
Ignoring Warnings
It is common to need to ignore some warnings. Read how to ignore false positives.