Need for a Viable Security Scanning Tool #767
Comments
|
What is the intended timeframe for this? I ask because the GitHub public roadmap has CodeQL ruby support available in Q3 of this year: github/roadmap#136 If it's not an urgent requirement, we could delay for a month or so and see about getting into that beta. We'd align with the other languages that way. |
|
@ahayworth |
|
It seems that It would be nice if it integrated with CodeQL the same way that Thoughts? E.g. of Brakeman/CodeQL integration: # This workflow integrates Brakeman with GitHub's Code Scanning feature
# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
name: Brakeman Scan
on:
push:
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
schedule:
- cron: '16 13 * * 6'
jobs:
brakeman-scan:
name: Brakeman Scan
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v2
# Customize the ruby version depending on your needs
- name: Setup Ruby
uses: actions/setup-ruby@v1
with:
ruby-version: '2.7'
- name: Setup Brakeman
env:
BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+
run: |
gem install brakeman --version $BRAKEMAN_VERSION
# Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
- name: Scan
continue-on-error: true
run: |
brakeman -f sarif -o output.sarif.json .
# Upload the SARIF file generated in the previous step
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: output.sarif.json |
|
I use bundler-audit for rails projects as part of ci to just raise when there are dependencies with known CVEs. I'm not sure how applicable its use would be here as a lot of our gems only depend on the API and the API doesn't depend on any gems. I'm in favour of waiting for CodeQL if that's a reasonable option, it keeps us consistent with the rest of the language implementations. |
|
@open-telemetry/ruby-approvers The CodeQL contacted me and they are offering us a private beta of the Ruby scanner. Would you all be amenable to opting into the private beta and trying it out on this repo? |
Sure |
A security workflow does not currently exist as part of the CI/CD or security workflows in the Ruby repository. This is to satisfy the requirements as per open-telemetry/opentelemetry-specification#1333.
CodeQL is the common security scanning tool that is used currently for all of OpenTelemetry’s supported language repositories (Go, Java, Javascript, Python, C++, etc.). Since CodeQL does not offer support for Ruby, an alternative must be found. The security tool found must be able to be integrated with Github Actions.
We evaluated different possibilities but there seems to be limited available code scanning tools for Ruby that could be integrated with Github Actions. The following code scanning tools for Ruby could work:
We’d like to better understand the opinions from Ruby engineers on a recommended code scanning tool so that one may be added to address #144 (open-telemetry/oteps#144).
cc @alolita @xukaren
The text was updated successfully, but these errors were encountered: