brakeman-analysis.yml

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# This workflow integrates Brakeman with GitHub's Code Scanning feature
# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications

name: Brakeman Scan

on:
  push:
    branches: [ main ]
    paths: ['app/**']
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ main ]
    paths: ['app/**']
  schedule:
    # cron format: 'minute hour dayofmonth month dayofweek'
    # this will run at noon UTC each Monday (7am EST / 8am EDT)
    - cron: '0 12 * * 1'
defaults:
  run:
    working-directory: ./app

jobs:
  brakeman-scan:
    name: Brakeman Scan
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - uses: ./.github/actions/setup-languages

    # Execute Brakeman CLI.
    - name: Scan
      working-directory: app
      run: |
        bundle exec brakeman .