Add bearer to CI (#845)

Connected to pulibrary/dacs_handbook#238
pulibrary · Sep 18, 2024 · 096e8c6 · 096e8c6
1 parent 007b4ac
commit 096e8c6
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 2 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -84,7 +84,8 @@ jobs:
       - setup-node
       - persist_to_workspace:
           root: '~/project'
-          paths: '*'
+          paths: 
+            - '*'
 
   test:
     executor: lib-jobs-executor
@@ -127,7 +128,8 @@ jobs:
 
       - persist_to_workspace:
           root: '~/project'
-          paths: '*'
+          paths: 
+            - '*'
 
   rubocop:
     executor: lib-jobs-executor
@@ -145,9 +147,21 @@ jobs:
       - setup-bundler
       - run: bundle exec brakeman
 
+  bearer:
+    docker:
+      - image: cimg/ruby:3.2
+    environment:
+      # Set to default branch of your repo
+      DEFAULT_BRANCH: main
+    steps:
+      - checkout
+      - run: curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b /tmp
+      - run: CURRENT_BRANCH=$CIRCLE_BRANCH SHA=$CIRCLE_SHA1 /tmp/bearer scan .
+
 workflows:
   build_accept:
     jobs:
+      - bearer
       - build
       - rubocop:
          requires:

diff --git a/bearer.ignore b/bearer.ignore
@@ -0,0 +1,8 @@
+{
+  "060fd7d66f86896cc409bf987e379a2d_0": {
+    "author": "Max Kadel",
+    "comment": "File is accessed via index on a list of files in a known directory",
+    "false_positive": true,
+    "ignored_at": "2024-09-18T19:03:36Z"
+  }
+}
diff --git a/bearer.yml b/bearer.yml
@@ -0,0 +1,33 @@
+disable-version-check: false
+log-level: info
+report:
+    fail-on-severity: critical,high,medium,low
+    format: ""
+    no-color: false
+    output: ""
+    report: security
+    severity: critical,high,medium,low,warning
+rule:
+    disable-default-rules: false
+    only-rule: []
+    # Tickets to remediate these rules and remove from this stanza:
+    #   ruby_lang_weak_hash_md - https://github.com/pulibrary/lib_jobs/issues/842
+    #   ruby_rails_password_length - https://github.com/pulibrary/lib_jobs/issues/843
+    #   ruby_rails_default_encryption - https://github.com/pulibrary/lib_jobs/issues/844
+    skip-rule: [ruby_lang_weak_hash_md, ruby_rails_password_length, ruby_rails_default_encryption]
+scan:
+    context: ""
+    data_subject_mapping: ""
+    disable-domain-resolution: true
+    domain-resolution-timeout: 3s
+    exit-code: -1
+    external-rule-dir: []
+    force: false
+    hide_progress_bar: false
+    internal-domains: []
+    parallel: 0
+    quiet: false
+    scanner:
+        - sast
+    skip-path: []
+    skip-test: true