Brakeman v4.5.1 released: A static analysis security vulnerability scanner for Ruby on Rails applications


Brakeman is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.

It can detect:

  • Possibly unescaped model attributes or parameters in views (Cross-Site Scripting)
  • Bad string interpolation in calls to Model.find, Model.last, Model.first, etc., as well as chained calls (SQL Injection)
  • String interpolation in find_by_sql (SQL Injection)
  • String interpolation or params in calls to system, exec, and syscall and “ (Command Injection)
  • Unrestricted mass assignments
  • Global restriction of mass assignment
  • Missing call to protect_from_forgery in ApplicationController (CSRF protection)
  • Default routes, per-controller and globally
  • Redirects based on params (probably too broad currently)
  • Validation regexes not using \A and \z
  • Calls to render with dynamic paths

General capabilities:

  • Search for method calls based on target class and/or method name
  • Determine ‘output’ of templates using ERB, Erubis, or HAML. Can handle automatic escaping

Changelog v4.5.1

  • Add initial Rails 6 support
  • Add optional check for config.force_ssl (#1181)
  • Add deserialization warning for Oj.load/object_load
  • Add SQL injection checks for destroy_by/delete_by
  • Add SQL injection checks for find_or_create_by and friends
  • Check link_to with block for href XSS (#1339)
  • Convert !! calls to boolean value (#1343)
  • Use relative paths for __FILE__
  • Represent file paths internally as Brakeman::FilePath
  • Handle empty partial names
  • Handle trailing comma in block args
  • Remove code for Ruby versions prior to 1.9


gem install brakeman


For a full list of options, use brakeman –help or see the file.

To specify an output file for the results:

brakeman -o output_file

The output format is determined by the file extension or by using the -f option. Current options are: text, html, tabs, json, markdown, csv, and codeclimate.

Multiple output files can be specified:

brakeman -o output.html -o output.json

To suppress informational warnings and just output the report:

brakeman -q

Note all Brakeman output except reports are sent to stderr, making it simple to redirect stdout to a file and just get the report.

To see all kinds of debugging information:

brakeman -d

Specific checks can be skipped if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):

brakeman -x DefaultRoutes

Multiple checks should be separated by a comma:

brakeman -x DefaultRoutes,Redirect

To do the opposite and only run a certain set of tests:

brakeman -t SQL,ValidationRegex

If Brakeman is running a bit slow, try

brakeman --faster

This will disable some features, but will probably be much faster (currently it is the same as --skip-libs --no-branching). WARNING: This may cause Brakeman to miss some vulnerabilities.

By default, Brakeman will return 0 as an exit code unless something went very wrong. To return an error code when warnings were found:

brakeman -z

To skip certain files or directories that Brakeman may have trouble parsing, use:

brakeman --skip-files file1,/path1/,path2/

To compare results of a scan with a previous scan, use the JSON output option and then:

brakeman --compare old_report.json

This will output JSON with two lists: one of fixed warnings and one of new warnings.

Brakeman will ignore warnings if configured to do so. By default, it looks for a configuration file in config/brakeman.ignore. To create and manage this file, use:

brakeman -I

Code committed on or after June 15, 2018 is licensed under the Brakeman Public Use Licese and is owned by Synopsys, Inc.

Code committed prior to June 15, 2018 is licensed under the MIT license and is owned by the respective copyright holders.