Add brakeman for scanning security vulnerabilities

.github/workflows/ci.yml

@@ -6,8 +6,24 @@ on:
     branches: [main]
 
 jobs:
+  scan_ruby:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: .ruby-version
+          bundler-cache: true
+
+      - name: Scan for security vulnerabilities in Ruby dependencies
+        run: bin/brakeman --no-pager
+
   lint:
     runs-on: ubuntu-latest
+    needs: scan_ruby
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -25,7 +41,7 @@ jobs:
 
   test:
     runs-on: ubuntu-latest
-    needs: lint
+    needs: [scan_ruby, lint]
     services:
       postgres:
         image: postgres
@@ -70,7 +86,7 @@ jobs:
   deploy:
     if: ${{ github.ref == 'refs/heads/main' }}
     runs-on: ubuntu-latest
-    needs: [lint, test]
+    needs: [scan_ruby, lint, test]
     steps:
       - name: Deploy to Render
         env:

Gemfile

@@ -88,6 +88,9 @@ group :development, :test do
   # A library for generating fake data such as names, addresses, and phone numbers
   gem "faker"
 
+  # Static analysis for security vulnerabilities [https://brakemanscanner.org/]
+  gem "brakeman", require: false
+
   ## Code Formatting & Linting
   # Omakase Ruby styling [https://github.com/rails/rubocop-rails-omakase/]
   gem "rubocop-rails-omakase", require: false

Gemfile.lock

@@ -89,6 +89,8 @@ GEM
     bindex (0.8.1)
     bootsnap (1.18.3)
       msgpack (~> 1.2)
+    brakeman (6.1.2)
+      racc
     builder (3.3.0)
     bullet (7.2.0)
       activesupport (>= 3.0.0)
@@ -421,6 +423,7 @@ PLATFORMS
 DEPENDENCIES
   active_storage_validations
   bootsnap
+  brakeman
   bullet
   capybara
   cloudinary

bin/brakeman

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "rubygems"
+require "bundler/setup"
+
+ARGV.unshift("--ensure-latest")
+
+load Gem.bin_path("brakeman", "brakeman")