Skip to content

Set up Brakeman with gem in vendor space, and update dummy tests to generate files dynamically#33

Merged
kanejamison merged 13 commits intomainfrom
try-brakeman-with-/vendor/-install
Nov 16, 2025
Merged

Set up Brakeman with gem in vendor space, and update dummy tests to generate files dynamically#33
kanejamison merged 13 commits intomainfrom
try-brakeman-with-/vendor/-install

Conversation

@kanejamison
Copy link
Owner

@kanejamison kanejamison commented Nov 16, 2025
edited
Loading

Adds comprehensive security scanning using Brakeman, testing both generated templates and gem source code against Rails 8.0 and 8.1.

What Gets Scanned

Generated Code (from templates):

  • 8 controllers generated from lib/tasks/templates/controller.rb.tt and lib/tasks/templates/pages_controller.rb.tt
  • 14 view templates generated from lib/tasks/templates/*.html.erb.tt
  • Models generated from install templates
  • Initializer and migrations

Gem Source Code:

  • 20+ Ruby files from lib/bunko/ (controllers, models, routing)
  • All .tt template files

This ensures security coverage for both the code users generate AND the gem's library code.

Approach

  1. Generates Gemfile with specified Rails version
  2. Runs bunko:install to create migrations/models/initializer
  3. Runs db:migrate to set up database
  4. Runs bunko:setup to generate controllers/views from templates
  5. Copies gem source to vendor/bunko
  6. Runs Brakeman with --no-skip-vendor (scans both app + vendor)
  7. Fails build on security warnings

Why this matters: Template changes are scanned automatically - if someone modifies lib/tasks/templates/controller.rb.tt, the security scan will catch vulnerabilities in the generated code.

Implementation

New Files:

  • lib/tasks/brakeman_vendor.rake - Complete scanning workflow
  • test/dummy/config/initializers/bunko_test_config.rb - Test-specific config

Key Changes:

  • CI: Added security job with Rails version matrix (8.0.x, 8.1.x)
  • Rakefile: Added prepare_dummy task - regenerates test/dummy files before each test run
  • Test approach: test/dummy files are now generated fresh from templates (not committed)
  • Added brakeman development dependency
  • Added CSRF protection to ApplicationController
  • Updated .gitignore to exclude generated files

Why regenerate test/dummy files?
Tests now verify that templates generate working code. If a template breaks, tests fail.

Local Usage

# Scan with specific Rails version
RAILS_VERSION="~> 8.0.0" bundle exec rake brakeman:vendor_scan
RAILS_VERSION="~> 8.1.0" bundle exec rake brakeman:vendor_scan

# Clean up
bundle exec rake brakeman:vendor_clean

Verification

Tested and confirmed detection of:

  • ✅ SQL injection in model concerns
  • ✅ Unprotected redirects in controller concerns
  • ✅ XSS vulnerabilities in render methods

All correctly identified with paths in vendor/bunko/lib/bunko/...

@kanejamison kanejamison changed the title Set up brakeman and install bunko to /vendor/ Set up Brakeman with gem in vendor space, and update dummy tests to generate files dynamically Nov 16, 2025
@kanejamison kanejamison merged commit d3cef68 into main Nov 16, 2025
7 checks passed
@kanejamison kanejamison deleted the try-brakeman-with-/vendor/-install branch November 16, 2025 20:19
@kanejamison kanejamison mentioned this pull request Nov 16, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kanejamison