Merge pull request #542 from alphagov/add-brakeman

Add Brakeman check to Ruby apps

lib/github_fetcher.rb

@@ -39,7 +39,7 @@ def pull_requests_from_github
   end
 
   def check_team_repos_ci
-    repos.each_with_object({}) { |repo, sca_sast_enabled| sca_sast_enabled[repo] = has_sca_sast_scans?(repo) }
+    repos.each_with_object({}) { |repo, scans_enabled| scans_enabled[repo] = has_required_scans?(repo) }
   end
 
   def security_alerts_count
@@ -151,15 +151,38 @@ def ignored_ci_repos
     YAML.load_file(File.join(File.dirname(__FILE__), "../ignored_ci_repos.yml"))
   end
 
-  def has_sca_sast_scans?(repo)
+  def rails_app?(repo)
+    gemfile = github.contents("#{organisation}/#{repo}", path: "Gemfile")
+    Base64.decode64(gemfile.content).include?("\ngem \"rails\"")
+  rescue Octokit::NotFound
+    false
+  end
+
+  def fetch_ci_file_content(repo)
+    Base64.decode64(github.contents("#{organisation}/#{repo}", path: ".github/workflows/ci.yml").content)
+  rescue Octokit::NotFound
+    nil
+  end
+
+  def has_required_scans?(repo)
     return true if ignored_ci_repos.include?(repo)
 
-    ci_file = Base64.decode64(github.contents("#{organisation}/#{repo}", path: ".github/workflows/ci.yml").content)
-    sca_string = "uses: alphagov/govuk-infrastructure/.github/workflows/dependency-review.yml@main"
-    sast_string = "uses: alphagov/govuk-infrastructure/.github/workflows/codeql-analysis.yml@main"
+    ci_file = fetch_ci_file_content(repo)
+    return true if ci_file.nil? # if a CI file is not present assume no scans are needed
 
-    ci_file.include?(sca_string) && ci_file.include?(sast_string)
-  rescue Octokit::NotFound
-    true # if a CI file is not present assume no scans are needed
+    scans_needed = rails_app?(repo) ? %i[sca sast brakeman] : %i[sca sast]
+    scans_needed.all? { |scan_type| has_scan?(ci_file, scan_type) }
+  end
+
+  def has_scan?(ci_file, scan_type)
+    case scan_type
+    when :sca
+      ci_file.include?("uses: alphagov/govuk-infrastructure/.github/workflows/dependency-review.yml@main")
+    when :sast
+      ci_file.include?("uses: alphagov/govuk-infrastructure/.github/workflows/codeql-analysis.yml@main")
+    when :brakeman
+      ci_file.include?("uses: alphagov/govuk-infrastructure/.github/workflows/brakeman.yml@main") ||
+        ci_file.include?("bundle exec brakeman")
+    end
   end
 end

spec/github_fetcher_spec.rb

@@ -281,7 +281,7 @@
 
   describe "CI checks" do
     let(:bad_ci_file) { double(Sawyer::Resource, content: "rubbish") }
-    let(:good_ci_file) { double(Sawyer::Resource, content: "dXNlczogYWxwaGFnb3YvZ292dWstaW5mcmFzdHJ1Y3R1cmUvLmdpdGh1Yi93\nb3JrZmxvd3MvZGVwZW5kZW5jeS1yZXZpZXcueW1sQG1haW4KdXNlczogYWxw\naGFnb3YvZ292dWstaW5mcmFzdHJ1Y3R1cmUvLmdpdGh1Yi93b3JrZmxvd3Mv\nY29kZXFsLWFuYWx5c2lzLnltbEBtYWluCg==\n") }
+    let(:good_ci_file) { double(Sawyer::Resource, content: "dXNlczogYWxwaGFnb3YvZ292dWstaW5mcmFzdHJ1Y3R1cmUvLmdpdGh1Yi93\nb3JrZmxvd3MvZGVwZW5kZW5jeS1yZXZpZXcueW1sQG1haW4KdXNlczogYWxw\naGFnb3YvZ292dWstaW5mcmFzdHJ1Y3R1cmUvLmdpdGh1Yi93b3JrZmxvd3Mv\nY29kZXFsLWFuYWx5c2lzLnltbEBtYWluCnVzZXM6IGFscGhhZ292L2dvdnVr\nLWluZnJhc3RydWN0dXJlLy5naXRodWIvd29ya2Zsb3dzL2JyYWtlbWFuLnlt\nbEBtYWlu\n") }
     let(:use_labels) { false }
     let(:repos) { %w[repo1] }
 

templates/list_ci_issues.text.erb

@@ -1,4 +1,4 @@
-Please check that the following repos have <<%= "https://docs.publishing.service.gov.uk/manual/dependency-review.html" %>|<%= html_encode("SCA") %>> and <<%= "https://docs.publishing.service.gov.uk/manual/codeql.html" %>|<%= html_encode("SAST") %>> scans in their CI pipelines (.github/workflows/ci.yml):
+Please check that the following repos have <<%= "https://docs.publishing.service.gov.uk/manual/dependency-review.html" %>|<%= html_encode("SCA") %>>, <<%= "https://docs.publishing.service.gov.uk/manual/codeql.html" %>|<%= html_encode("SAST") %>> and <<%= "https://docs.publishing.service.gov.uk/manual/brakeman.html" %>|<%= html_encode("Brakeman") %>> scans in their CI pipelines (.github/workflows/ci.yml):
 <% @repos.each do |repo| -%>
 <<%= "https://github.com/alphagov/#{repo}" %>|<%= html_encode(repo) %>>
 <% end -%>