Merge branch 'rf-update-brakeman-rules' into 'master'

Update brakeman rules [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!53414

Merge branch 'rf-update-brakeman-rules' into 'master'
Update brakeman rules [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!53414
8d7c0521 · Mayra Cabrera · 3e4c7f08 · b2e9cb76 · 8d7c0521 · 8d7c0521
Commit 8d7c0521 authored Feb 10, 2021 by Mayra Cabrera
3 changed files
--- a/changelogs/unreleased/rf-update-brakeman-rules.yml
+++ b/changelogs/unreleased/rf-update-brakeman-rules.yml
+---
+title: Update Ruby detection rules for SAST
+merge_request: 53414
+author:
+type: changed
--- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
@@ -66,7 +66,8 @@ brakeman-sast:
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /brakeman/
      exists:
-        - 'config/routes.rb'
+        - '**/*.rb'
+        - '**/Gemfile'

 eslint-sast:
  extends: .sast-analyzer

--- a/spec/services/ci/create_pipeline_service_spec.rb
+++ b/spec/services/ci/create_pipeline_service_spec.rb
@@ -537,7 +537,7 @@ RSpec.describe Ci::CreatePipelineService do
        it 'pull it from Auto-DevOps' do
          pipeline = execute_service
          expect(pipeline).to be_auto_devops_source
-          expect(pipeline.builds.map(&:name)).to match_array(%w[build code_quality eslint-sast secret_detection_default_branch test])
+          expect(pipeline.builds.map(&:name)).to match_array(%w[brakeman-sast build code_quality eslint-sast secret_detection_default_branch test])
        end
      end