Brakeman – Rails Security Scanner


Code static analysis in applications is important to identify security vulnerabilities. if you need to check Ruby on Rails it is possible to use Brakeman. The project is intended to verify the security troubles in Ruby on Rails web framework source code at any phase of the development. It works on Rails 2.x, 3.x, and 4.x. the report may include three levels of severity:

  • High this is for detecting a user input used in unsafe ways.
  • Medium which indicate an unsafe use of a variable.
  • Weak severity for a user input was indirectly used in a potentially unsafe manner.

The scanner can be used with one command:

# brakeman rails_application_to_scan

Brakeman allows to identify Cross Site Scripting, SQL Injection,Command Injection , Mass Assignment , Attribute Restriction , Cross-Site Request Forgery , Unsafe Redirects , DoS , Dynamic Render Paths , Information Disclosure and Remote Code Execution vulnerabilities.

It is possible to reduce false positives by using a set of checks to run or a set of checks to exclude. There is also a plugin available for Jenkins/Hudson. you can download the tool on the following link: