Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

README.md: require: false to bundler instructions #1854

Merged
merged 1 commit into from
Jun 28, 2024
Merged

README.md: require: false to bundler instructions #1854

merged 1 commit into from
Jun 28, 2024

Conversation

runephilosof-abtion
Copy link
Contributor

No reason to load the code.
Not loading the code is faster.

Brakeman is always executed using bundle exec brakeman or using its binstub, which will still work with require: false

@runephilosof-abtion
README.md: require: false to bundler instructions
f114756 
No reason to load the code.
Not loading the code is faster.

Brakeman is always executed using `bundle exec brakeman` or using its binstub, which will still work with `require: false`
@dryrunsecurity DryRunSecurity
Copy link

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Server-Side Request Forgery Analyzer 0 findings
Configured Codepaths Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings
IDOR Analyzer 0 findings
SQL Injection Analyzer 0 findings
Sensitive Files Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code change in this Pull Request updates the Brakeman gem dependency in the README.md file. Specifically, it changes the Brakeman gem from being required by default to being required only in the development group. This is a positive security improvement, as it follows the principle of least privilege and ensures that the security scanning tool is only used in the appropriate environment.

Including security scanning tools like Brakeman in the production environment can potentially introduce security vulnerabilities or performance issues, as the tool itself may have security flaws or may impact the application's performance. By keeping Brakeman in the development environment, the application can still benefit from its security scanning capabilities during the development and testing phases, without introducing any potential issues in the production environment.

Files Changed:

  • README.md: The changes in this file update the Brakeman gem dependency, moving it from being required by default to being required only in the development group. This is a security-conscious change that ensures the security scanning tool is not included in the production environment, which is a best practice.

Powered by DryRun Security

@presidentbeef presidentbeef merged commit 4e7c8c5 into presidentbeef:main Jun 28, 2024
16 checks passed
@presidentbeef
Copy link
Owner

Hi @runephilosof-abtion,

While this is true, it should be noted that I gave up on recommending this a long time ago (#889?) and instead most of Brakeman is dynamically loaded on use. You'll note https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman.rb requires almost no other files.

So the difference between using require: false or not is pretty small.

But anyway no harm in adding this for those who pay attention.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@runephilosof-abtion @presidentbeef