Documentation

Travis CI Integration

Brakeman Pro Engine can easily be set up with Travis CI to run scans on every push.

Brakeman Pro in Gemfile

If Brakeman Pro is already included in your Gemfile, then Brakeman Pro only needs to be added as a test script in your .travis.yml.

For many Rails applications, Travis may be running rake automatically and there will be not be a script section. Be sure to add bundle exec rake if this is the case.

Example:

script:
  - bundle exec rake
  - bundle exec brakeman-pro --exit-on-warn --quiet -f plain

Recommended Brakeman Pro options:

  • --exit-on-warn: This option is important because it will cause the build to fail if any warnings are found
  • --quiet: Removes extraneous output. If --quiet is too quiet, --no-report-progress is recommended instead
  • --f plain: Generates a nice, colored text report

Without Gemfile

If Brakeman Pro is not included in your Gemfile, please use the directions below.

Credentials Setup

We recommending setting up the Brakeman Pro Engine username and password as environment variables. Not only is this good security practice, it also allows the credentials to be easily changed in the future if needed.

Set env variables

Travis CI will obfuscate the values in the settings as well as hide the values during builds.

Installing Brakeman Pro

Brakeman Pro can be added to the install list in your .travis.yml.

For many Rails applications, Travis may be running bundle automatically and there will be not be a test section. Be sure to add bundle install if this is the case.

Example:

install:
  - bundle install --jobs=3 --retry=3
  - gem install brakeman-pro --source https://$BRAKEMAN_PRO_USER:$BRAKEMAN_PRO_PASSWORD@brakemanpro.com/gems/

This way your inferred dependencies will not be affected.

Running Brakeman Pro

Brakeman Pro should be added as a test script in your .travis.yml.

For many Rails applications, Travis may be running rake automatically and there will be not be a script section. Be sure to add bundle exec rake if this is the case.

Example:

script:
  - bundle exec rake
  - brakeman-pro --exit-on-warn --quiet -f plain

Recommended Brakeman Pro options:

  • --exit-on-warn: This option is important because it will cause the build to fail if any warnings are found
  • --quiet: Removes extraneous output. If --quiet is too quiet, --no-report-progress is recommended instead
  • --f plain: Generates a nice, colored text report

Report Output

Brakeman Pro reports will be rendered in the Travis CI results on failure.

Brakeman Pro Report

Ignoring Warnings

It is common to need to ignore some warnings. Read how to ignore false positives.