Skip to content

WA-SEC-018: Sanitize Brakeman baseline metadata to reduce diff churn#984

Open
kitcommerce wants to merge 1 commit intonextfrom
issue-980-sanitize-brakeman-baseline-metadata
Open

WA-SEC-018: Sanitize Brakeman baseline metadata to reduce diff churn#984
kitcommerce wants to merge 1 commit intonextfrom
issue-980-sanitize-brakeman-baseline-metadata

Conversation

@kitcommerce
Copy link

@kitcommerce kitcommerce commented Mar 13, 2026

Summary

Fixes #980.

The committed Brakeman baseline included several machine-specific and
time-varying fields that caused noisy, unstable diffs every time the
baseline was regenerated on a different machine or at a different time.

Changes

core/brakeman.baseline.json — sanitized baseline

Removes the following keys from scan_info:

Field Reason removed
app_path Contributor-machine absolute path (e.g. /Users/alice/…/core)
start_time Timestamp — changes every run
end_time Timestamp — changes every run
duration Float run-time — changes every run

All warning fingerprints, warning content, and stable metadata
(rails_version, ruby_version, brakeman_version,
checks_performed, security_warnings, etc.) are unchanged.

script/update_brakeman_baseline — reproducible update script

Provides a canonical way for contributors to regenerate the baseline.
The script runs Brakeman then post-processes the output with the same
sanitization (strip app_path, start_time, end_time,
duration), writes consistent JSON formatting, and adds a trailing
newline.

Usage:

script/update_brakeman_baseline

Before / After

Before (scan_info excerpt — machine-specific, time-varying):

"scan_info": {
  "app_path": "/Users/jhill/workarea/core",
  "rails_version": "6.1",
  "security_warnings": 11,
  "start_time": "2026-03-13 12:18:18 -0400",
  "end_time": "2026-03-13 12:18:19 -0400",
  "duration": 1.009031,
  ...
}

After (scan_info excerpt — stable, portable):

"scan_info": {
  "rails_version": "6.1",
  "security_warnings": 11,
  ...
}

Regenerating the baseline on any machine now produces an identical diff
limited to actual warning changes — not contributor paths or timestamps.

Verification

  1. Run script/update_brakeman_baseline from the repo root.
  2. git diff core/brakeman.baseline.json — diffs should be limited to
    warning content; app_path, start_time, end_time, and
    duration should not appear.

Client Impact

None. This change is internal to the development and CI workflow only;
no application behaviour is modified.

WA-SEC-018: Sanitize Brakeman baseline metadata to reduce churn
7b652c0 
Strip machine-specific and time-varying fields from core/brakeman.baseline.json:
  - app_path: contributor-machine absolute path
  - start_time / end_time: scan timestamps
  - duration: run-time float

Retains all stable fields (rails_version, ruby_version, brakeman_version,
check counts, checks_performed) and all warning fingerprints unchanged.

Add script/update_brakeman_baseline to generate a sanitized baseline
reproducibly; contributors should use this script instead of running
brakeman directly when refreshing the baseline.

Fixes #980
@kitcommerce kitcommerce mentioned this pull request Mar 13, 2026
Open
3 tasks
@kitcommerce kitcommerce added gate:build-pending Build gate running gate:build-passed Build gate passed and removed gate:build-pending Build gate running labels Mar 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

gate:build-passed Build gate passed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kitcommerce