Jenkins Integration

Brakeman Pro Jenkins plugin

The open source Jenkins CI server can be used to automate Brakeman Pro scans.

The Brakeman Pro Engine is compatible with the Jenkins Brakeman Plugin starting with plugin version 0.10.

Trend graph

Installing the Plugin

To install the Brakeman Plugin in your Jenkins server, navigate to Jenkins > Manage Jenkins > Manage Plugins.

Click the Available tab. Use the filter to search for brakeman.

Jenkins Brakeman Plugin

Check the box to select the plugin. Then click “Install without restart”.

Freestyle Projects

To use Brakeman Pro in a “freestyle project”, it is necessary to set up a new build step and a post-build action.

Build Step

At a minimum, Ruby needs to be available on the Jenkins server. Below we assume rvm is installed with Ruby 2.3.1. It should be straightforward to adopt these instructions to your environment.

In the job configuration, click Add build step and select Execute shell.

Add build step

In the shell script, the job needs to install Brakeman Pro and run a scan.

Here we use rvm to create a separate gemset, install Brakeman Pro, and run a scan:

bash -l -c '
 rvm gemset use brakeman-pro --create &&
 gem install brakeman-pro --source &&
 brakeman-pro -f pro -o brakeman-output.json --no-progress

Replace USERNAME and PASSWORD with your credentials.

For the best results, use the pro output format. This can be specified with -f pro or with an output file ending in .pro.

Execute shell script

Publishing Results

After the build, the results can be published to the Brakeman plugin.

Click Add post-build step and select Publish Brakeman warnings

Publish Warnings

Set the Brakeman Output File to match the shell command (in this case, brakeman-output.json).

Report file

See the Advanced... button for more options.

Pipeline Projects

Projects utilizing the pipeline plugin can use the publishBrakeman step.

Configuring Pipeline

The two main steps for running Brakeman Pro in Jenkins are running the scan and publishing results.

Here is an example of pipeline code to run Brakeman Pro:

stage 'Brakeman Scan'
sh 'brakeman-pro -f pro -o brakeman-output.json'
publishBrakeman 'brakeman-output.json'

This code assumes brakeman-pro is already available on the Jenkins server machine.

For the best results, use the pro output format. This can be specified with -f pro or with an output file ending in .pro.

Jenkins Pipeline

Brakeman Pro Warnings

Brakeman Pro scan results indicating the number of new and fixed warnings should appear on the job build page.

Build page

Note: by default, new warnings will cause a build to fail.

There are a number of ways to view the warnings, including by type, severity, and file name.

Warnings by type

Warning details

It is also possible to view the code that generated the warning.

Warning code detail

More Information

A much more advanced pipeline setup with Docker is explained here.

Ignoring Warnings

It is common to need to ignore some warnings. Read how to ignore false positives.