-
Notifications
You must be signed in to change notification settings - Fork 734
Home
Brakeman is a static analysis tool for finding security vulnerabilities in Rails applications. Point it at the root directory of your Rails application code and it will generate a report listing any potential vulnerabilities it has found.
Unlike typical website vulnerability scanners, such as SkipFish, WebInspect, Burp Suite, etc., brakeman scans your source code for vulnerabilities. This means security testing can begin at any stage of development. There is no need for deployment or setting up the full web stack. In fact, your code does not even need to be fully functional.
Because brakeman does not rely on following links on your website, it can perform a more thorough scan of your application. It is also possible to find vulnerabilities before they are actually exploitable from the live website.
Brakeman can also check your Rails application for specific global settings or best practices.
Each check is performed independently, so it is possible to run only a specific check or a subset of all available checks. Adding checks is also fairly simple, depending on what information the check requires.
Brakeman can currently generate text, HTML, and CSV reports. HTML reports are recommended, however, as they provide the most information.
To get an idea of what the reports look like, please see Example Reports.
Brakeman also works with the Jenkins/Hudson continuous integration tool, for automatic report generation and alerts.
If you have an idea for a vulnerability or best practice Brakeman might be able to test for, please file an issue containing your idea. Ideas are welcome!
If you have some code that you know contains a vulnerability, yet Brakeman failed to report it, please file an issue with code demonstrating the problem.
For more information on the vulnerabilities reported by brakeman, please see the list of Warning Types.
See Options for information on settings available when running brakeman.
Check Interpreting Reports for tips on understanding the reports generated by brakeman.
You may also want to contribute to the Desired Features.
There are some somewhat Similar Projects out there, too.
Some Performance results have been compiled.
Documentation from the code is available online.
Finally, here are some slides (PDF) from a presentation on Brakeman.