This plugin reads output from Brakeman, a static analysis security vulnerability scanner for Ruby on Rails.
This plugin takes output from Brakeman, a security scanner for Ruby on Rails that finds vulnerabilities via static analysis, and uses the "Static Analysis Utilities" plugin to produce nice reports like these.
Brakeman detects security vulnerabilities in Ruby on Rails applications such as cross-site scripting, SQL injection, command injection, unsafe redirects, mass assignment, file access, default routes, and more.
Because of the many ways Ruby and gems can be installed, the plugin does not actually run Brakeman for you.
Running Brakeman can be accomplished by adding an "Execute Shell" build step. The command to use will vary based on your Ruby setup.
The simplest command would look like this:
brakeman -o brakeman-output.tabs
This assumes Brakeman is globally available on the machine where Jenkins is running.
The following options are recommended:
brakeman -o brakeman-output.tabs --no-progress --separate-models
To automatically install/update Brakeman (if needed):
gem install brakeman --no-ri --no-rdoc && brakeman -o brakeman-output.tabs --no-progress --separate-models
To use rvm (with Bash):
bash -l -c 'rvm use 1.9.2 && gem install brakeman --no-ri --no-rdoc && brakeman -o brakeman-output.tabs --no-progress --separate-models'
It might be a good idea to use gemsets, too:
bash -l -c 'rvm use ruby-1.9.3 && rvm gemset create brakeman-jenkins && rvm gemset use brakeman-jenkins && gem install brakeman --no-ri --no-rdoc && brakeman -o brakeman-output.tabs --no-progress --separate-models'
Check the "Publish Brakeman warnings" option under "Post-build Actions". Make sure the output file name matches the one used in the shell command.
It is possible to set thresholds for warnings, so that builds can be marked as unstable or failed depending on the number of warnings reported.
To set thresholds, click the "Advanced..." button next to "Publish Brakeman warnings".
To set set thresholds based on new warnings found, check the "Compute new warnings (based on reference build)" box. This opens another set of thresholds.
Skip to end of metadata Go to start of metadata