Integrating CloudBees CodeShip with Brakeman Pro for Rails security analysis

2 minute read

About Brakeman Pro

Brakeman Pro is as service for automatically testing and reporting on your Rails application’s security vulnerabilities.

By using Brakeman Pro you can be confident that your Rails application is secure and up to date.

Their documentation does a great job of providing more information, in addition to the setup instructions below.

CloudBees CodeShip Pro

Setting your credentials

To start, you need to add your BRAKEMAN_PRO_USER and BRAKEMAN_PRO_PASSWORD credentials to your encrypted environment variables that you encrypt and include in your codeship-services.yml file.

Adding The Gem

After adding the credentials, you’ll need to install the Brakeman Pro gem via your project’s Dockerfile, which is built by your codeship-services.yml file.

This can be done with the following command in your Dockerfile, or by adding the gem to your project’s Gemfile (which requires bundle install in your Dockerfile instead):

RUN gem install brakeman-pro --source https://$BRAKEMAN_PRO_USER:$BRAKEMAN_PRO_PASSWORD@brakemanpro.com/gems/

Running Reports

Next, you’ll want to run the actual command to generate a Brakeman Pro report as a new step in your codeship-steps.yml file:

- name: brakeman-pro service: your_service command: brakeman-pro --exit-on-warn --quiet -f plain

There are several specific options that Brakeman Pro recommends for modifying the report behavior:

  • --exit-on-warn: This option is important because it will cause the build to fail if any warnings are found

  • --quiet: Removes extraneous output. If –quiet is too quiet, –no-report-progress is recommended instead

  • --f plain: Generates a nice, colored text report

CloudBees CodeShip Basic

Setting your credentials

To start, you need to add your BRAKEMAN_PRO_USER and BRAKEMAN_PRO_PASSWORD credentials to your environment variables.

You can do this by navigating to Project Settings and then clicking on the Environment tab.

Adding The Gem

After adding the credentials, you’ll need to install the Brakeman Pro gem via your project’s setup commands. This can be done with the following command, or by adding the gem to your project’s Gemfile (which requires bundle install in your setup commands instead):

gem install brakeman-pro --source https://$BRAKEMAN_PRO_USER:$BRAKEMAN_PRO_PASSWORD@brakemanpro.com/gems/

Running Reports

Next, you’ll want to run the actual command to generate a Brakeman Pro report in your project’s test commands:

brakeman-pro --exit-on-warn --quiet -f plain

There are several specific options that Brakeman Pro recommends for modifying the report behavior:

  • --exit-on-warn: This option is important because it will cause the build to fail if any warnings are found

  • --quiet: Removes extraneous output. If –quiet is too quiet, –no-report-progress is recommended instead

  • --f plain: Generates a nice, colored text report

Note that if you are using parallel pipelines then you likely only want to add this command to a single pipeline, rather than multiple pipelines.