Skip to content

Walk Track: Add Brakeman SAST scan to CI #144

Open
Open
Walk Track: Add Brakeman SAST scan to CI#144
Labels
enhancementNew feature or request
@nikhil2611

Description

@nikhil2611
nikhil2611
opened on May 24, 2026

Context

Walk Ex8 improved secret scanning (gitleaks). No static analysis tool checks for code-level security vulnerabilities. knife exec and knife ssh execute arbitrary code/commands — high-value Brakeman targets.

Code Paths

  • .github/workflows/sast.yml — new CI workflow running Brakeman
  • lib/chef/knife/exec.rb — arbitrary Ruby execution
  • lib/chef/knife/ssh.rb — shell command construction
  • SECURITY.md — add SAST section

Acceptance Criteria

  • .github/workflows/sast.yml runs brakeman --no-pager on every PR
  • Job is continue-on-error: true initially (advisory); promote to blocking after first clean run
  • At least one Brakeman finding triaged: fixed or added to .brakeman.ignore with justification
  • SECURITY.md updated with SAST section documenting the tool and how to run locally

Dependencies

Walk Ex8 secret scan pattern (merged). No blocking deps.

Size

Small.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions