add brakeman scanning (#840)

* add brakeman scanning

* Update Ruby version to 'head' in Brakeman workflow

* Add Brakeman workflow for code scanning

Author: 3kh0

.github/workflows/ci.yml

@@ -11,6 +11,9 @@ on:
 jobs:
   scan_ruby:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
 
     steps:
       - name: Checkout code
@@ -23,7 +26,13 @@ jobs:
           bundler-cache: true
 
       - name: Scan for common Rails security vulnerabilities using static analysis
-        run: bin/brakeman --no-pager
+        continue-on-error: true
+        run: bin/brakeman --no-pager -f sarif -o brakeman.sarif.json
+
+      - name: Upload SARIF to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: brakeman.sarif.json
 
   scan_js:
     runs-on: ubuntu-latest