Add brakeman with GitHub action pipeline

For new Rails apps, brakeman is enabled by default

Author: MrSerth

.github/workflows/ci.yml

@@ -150,3 +150,25 @@ jobs:
           name: Slim-Lint Report
           title: Analyze Slim templates for linting issues
           path: checkstyle-result.xml
+
+  scan_ruby:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: .ruby-version
+          bundler-cache: true
+
+      - name: Scan for common Rails security vulnerabilities using static analysis
+        uses: reviewdog/action-brakeman@v2
+        with:
+          filter_mode: nofilter
+          reporter: github-check
+          skip_install: true
+          use_bundler: true
+          fail_on_error: true

Gemfile

@@ -65,6 +65,7 @@ gem 'sentry-ruby'
 group :development do
   gem 'better_errors'
   gem 'binding_of_caller'
+  gem 'brakeman'
   gem 'i18n-tasks'
   gem 'letter_opener'
   gem 'listen'

Gemfile.lock

@@ -96,6 +96,8 @@ GEM
       msgpack (~> 1.2)
     bootstrap-will_paginate (1.0.0)
       will_paginate
+    brakeman (6.2.1)
+      racc
     builder (3.3.0)
     bunny (2.23.0)
       amq-protocol (~> 2.3, >= 2.3.1)
@@ -605,6 +607,7 @@ DEPENDENCIES
   binding_of_caller
   bootsnap
   bootstrap-will_paginate
+  brakeman
   capybara
   coffee-rails (>= 5.0.0)
   config

bin/brakeman

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'rubygems'
+require 'bundler/setup'
+
+ARGV.unshift('--ensure-latest')
+
+load Gem.bin_path('brakeman', 'brakeman')