Update Ruby detection rules for SAST

Now that brakeman supports scanning any Ruby file, update detection logic to scan any Ruby project, not just Rails projects.

Update Ruby detection rules for SAST
Now that brakeman supports scanning any Ruby file, update detection logic to scan any Ruby project, not just Rails projects.
b2e9cb76 · rossfuhrman · d76e9a84 · b2e9cb76 · b2e9cb76 · b2e9cb76
Commit b2e9cb76 authored Feb 04, 2021 by rossfuhrman
3 changed files
--- a/changelogs/unreleased/rf-update-brakeman-rules.yml
+++ b/changelogs/unreleased/rf-update-brakeman-rules.yml
+---
+title: Update Ruby detection rules for SAST
+merge_request: 53414
+author:
+type: changed
--- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
@@ -66,7 +66,8 @@ brakeman-sast:
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /brakeman/
      exists:
-        - 'config/routes.rb'
+        - '**/*.rb'
+        - '**/Gemfile'

 eslint-sast:
  extends: .sast-analyzer

--- a/spec/services/ci/create_pipeline_service_spec.rb
+++ b/spec/services/ci/create_pipeline_service_spec.rb
@@ -538,7 +538,7 @@ RSpec.describe Ci::CreatePipelineService do
        it 'pull it from Auto-DevOps' do
          pipeline = execute_service
          expect(pipeline).to be_auto_devops_source
-          expect(pipeline.builds.map(&:name)).to match_array(%w[build code_quality eslint-sast secret_detection_default_branch test])
+          expect(pipeline.builds.map(&:name)).to match_array(%w[brakeman-sast build code_quality eslint-sast secret_detection_default_branch test])
        end
      end