Adjustments/messaging #377
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Brakeman Scan | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| schedule: | |
| - cron: '26 3 * * 0' | |
| permissions: | |
| contents: read | |
| jobs: | |
| brakeman-scan: | |
| name: Brakeman Scan | |
| # Option A: stay on latest (24.04) – requires up-to-date setup-ruby | |
| runs-on: ubuntu-latest | |
| # Option B (fallback): force older image if you prefer | |
| # runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Ruby | |
| # Use the rolling v1 tag so you get fixes for new runner images | |
| uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: '3.2' # or your exact patch, e.g. '3.2.2' | |
| # bundler-cache not needed since we install brakeman directly | |
| - name: Setup Brakeman | |
| run: | | |
| gem install brakeman | |
| - name: Scan (SARIF) | |
| continue-on-error: true | |
| run: | | |
| brakeman -f sarif -o output.sarif.json . | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: output.sarif.json |