Brakeman is a wonderful tool that can scan your Ruby on Rails application for common vulnerabilities. It’s a static code analyzer that can help you find security problems before you release the application.
Since you can introduce a vulnerability at any stage of you development process, it’s obvious that a tool should scan your application as often as possible, preferably on every commit. That makes it an ideal candidate for the continuous delivery pipeline.
Fortunately, it’s easy to make Brakeman part of your CI.
Install Brakeman by adding it to your Gemfile:
group :development do
gem 'brakeman', :require => false
end
And add the following command to your build setup on Semaphore:
bundle exec brakeman -z
The -z flag tells Brakeman to fail if it finds any vulnerabilities. This means that your build will fail before any issues reach the production, letting you know you should fix the problem.
We definitely recommend that you introduce security checks to your continuous delivery pipeline, and Brakeman is a good choice for Rails apps.