feat: adding brakeman.ignore support to huskyci #527
Conversation
|
Looks good to me! Do you think we need to have some integration tests, @joserenatosilva, @rafaveira3 or @Krlier? |
|
Hello, everyone! Glad to know that we are now able to skip a few tests in Brakeman! 😄 @gustavocovas, a good strategy here might be adding vulnerable code into this branch and adding a Another topic we must be aware of is reporting this metric in the output as the "NoSecHusky" type. It would be a good idea saving it just like we do on other languages like Python, as follows: |
Great idea! I checked that brakeman does output ignored warnings to it's json file, being quite easy to add as a nosechusky metric. Will also open a PR to the poc-ruby-brakeman branch in order to add a brakeman.ignore test. |
Description
This PR aims to add brakeman.ignore file support to HuskyCI.
Since there is no current implementation for utilizing "#nohusky" as referenced in #508 adding support to brakeman.ignore will help dealing with false-positives on the CI flow.
Proposed Changes
Adding to the api/config.yaml in the brakeman section a if statement verifying if there is a brakeman.ignore file on the target project root folder, if yes run brakeman with the file as a parameter.
It requires a bit of manual work to generate the ignore file, since it is only generated by brakeman itself, one would have to run it manually, validate the findings and ignore them as the tools documentation
Testing
The branch of poc-ruby-brakeman on my forked repo contains a brakeman.ignore removing two other warnings that would show up at a HuskyCI analysis result.
Running this current build agaisnt that repo should be enough to validate the implementation.
🐼