Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities. Using RubyGems: Using Bundler: Using Docker: Using Docker to build from source: From a Rails application's root directory: Outside of Rails root: From a Rails application's root directory: With a little nicer color: For an HTML report: Outside of Rails root (note that the output file is relative to path/to/rails/application): Brakeman should work with any version of Rails from 2.3.x to 7.x. Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run. For a full list of options, use To specify an output file for the results: The output format is determined by the file extension or by using the Multiple output files can be specified: To output to both a file and to the console, with color: To suppress informational warnings and just output the report: Note all Brakeman output except reports are sent to stderr, making it simple to redirect stdout to a file and just get the report. To see all kinds of debugging information: Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes ( Multiple checks should be separated by a comma: To do the opposite and only run a certain set of tests: If Brakeman is running a bit slow, try This will disable some features, but will probably be much faster (currently it is the same as By default, Brakeman will return a non-zero exit code if any security warnings are found or scanning errors are encountered. To disable this: To skip certain files or directories that Brakeman may have trouble parsing, use: To compare results of a scan with a previous scan, use the JSON output option and then: This will output JSON with two lists: one of fixed warnings and one of new warnings. Brakeman will ignore warnings if configured to do so. By default, it looks for a configuration file in If you want to temporarily see the warnings you ignored without affecting the exit code, use: See warning_types for more information on the warnings reported by this tool. The HTML output format provides an excerpt from the original application source where a warning was triggered. Due to the processing done while looking for vulnerabilities, the source may not resemble the reported warning and reported line numbers may be slightly off. However, the context still provides a quick look into the code which raised the warning. Brakeman assigns a confidence level to each warning. This provides a rough estimate of how certain the tool is that a given warning is actually a problem. Naturally, these ratings should not be taken as absolute truth. There are three levels of confidence: To only get warnings above a given confidence level: The Brakeman options can be stored and read from YAML files. To simplify the process of writing a configuration file, the Options passed in on the commandline have priority over configuration files. The default config locations are The There is a plugin available for Jenkins/Hudson. For even more continuous testing, try the Guard plugin. There are a couple GitHub Actions available. Website: http://brakemanscanner.org/ Twitter: https://twitter.com/brakeman Chat: https://gitter.im/presidentbeef/brakeman Brakeman is free for non-commercial use. See COPYING for details.gem install brakeman
group :development do
gem 'brakeman', require: false
end
docker pull presidentbeef/brakeman
git clone https://github.com/presidentbeef/brakeman.git
cd brakeman
docker build . -t brakeman
brakeman
brakeman /path/to/rails/application
docker run -v "$(pwd)":/code presidentbeef/brakeman
docker run -v "$(pwd)":/code presidentbeef/brakeman --color
docker run -v "$(pwd)":/code presidentbeef/brakeman -o brakeman_results.html
docker run -v 'path/to/rails/application':/code presidentbeef/brakeman -o brakeman_results.html
brakeman --help
or see the OPTIONS.md file.brakeman -o output_file
-f
option. Current options are: text
, html
, tabs
, json
, junit
, markdown
, csv
, codeclimate
, and sonar
.brakeman -o output.html -o output.json
brakeman --color -o /dev/stdout -o output.json
brakeman -q
brakeman -d
DefaultRoutes
):brakeman -x DefaultRoutes
brakeman -x DefaultRoutes,Redirect
brakeman -t SQL,ValidationRegex
brakeman --faster
--skip-libs --no-branching
). WARNING: This may cause Brakeman to miss some vulnerabilities.brakeman --no-exit-on-warn --no-exit-on-error
brakeman --skip-files file1,/path1/,path2/
brakeman --compare old_report.json
config/brakeman.ignore
.
To create and manage this file, use:brakeman -I
brakeman --show-ignored
brakeman -w3
-w
switch takes a number from 1 to 3, with 1 being low (all warnings) and 3 being high (only highest confidence warnings).-C
option will output the currently set options:$ brakeman -C --skip-files plugins/
---
:skip_files:
- plugins/
./config/brakeman.yml
, ~/.brakeman/config.yml
, and /etc/brakeman/config.yml
-c
option can be used to specify a configuration file to use.git clone git://github.com/presidentbeef/brakeman.git
cd brakeman
gem build brakeman.gemspec
gem install brakeman*.gem