Skip to content

Add Brakeman SAST scan to CI for Ruby security analysis #118

Open
Open
Add Brakeman SAST scan to CI for Ruby security analysis#118
@nikhil2611

Description

@nikhil2611
nikhil2611
opened on May 21, 2026

Epic

Part of Crawl Track backlog epic.

Background

Ex8 (Security Scan) added gitleaks for secret detection. It does NOT cover Ruby-level security issues (unsafe deserialization, command injection, mass assignment). Brakeman is the standard SAST tool for Ruby/Rails-family projects.

Code Paths

  • .github/workflows/secret-scan.yml — reference CI job to follow
  • lib/chef/knife/exec.rb — evaluates arbitrary Ruby; high-risk surface
  • lib/chef/knife/ssh.rb — constructs shell commands from user input

Acceptance Criteria

  • .github/workflows/sast.yml added with presidentbeef/brakeman-action or brakeman gem run
  • Scan runs on every PR
  • At least one finding triaged: either fixed or added to ignore file with justification
  • SECURITY.md updated with SAST section

Dependencies

  • Depends on: Ex8 secret scan (already merged)
  • Blocks: nothing

Estimated Size

Small

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions