BRAKEMAN: Rails Security Scanner


Brakeman is a security scanner and it detects security vulnerabilities in Rails applications with the help of static analysis. It directly scans through the source code of our application which eliminates the need to set-up our whole application stack in order for using this expedient security tool.
After scanning, it produces a report of all the security issues it has identified.


Run It Anytime
Because all that Brakeman needs is the source code and it (Brakeman) can be run at any stage of development: We can generate a new application with rails and immediately scan it using Brakeman.
Better Coverage
It provides more coverage to our application.
It checks the pages which might not be ‘live’ yet and even finds security vulnerabilities before they become exploitable.
It is much faster than “black box” website scanners which is evident from the fact that it takes very few minutes to scan very large applications.


False Positives
Being somewhat suspicious, it runs the risk of leading to many “false positives.”
Unusual Configurations
It assumes a “typical” Rails setup. If some parts of the app do not fall under normal Rails application layout, there are high chances that, that part could be missed while scanning.
Isn’t Omniscient
Brakeman cannot understand everything which is happening in the code. Sometimes, it just makes reasonable assumptions. It may miss things. It may misinterpret things. But it does try its best.
For Issues, check:

Installing Brakeman

Gem install

gem install brakeman

Brakeman gems are now signed, which means the contents of the gem can be verified using the public Brakeman certificate.
Include the below certificates as “trusted” to verify the gem;
# Brakeman

gem cert --add <(curl -Ls

# ruby_parser, etc.

gem cert --add <(curl -Ls

# multijson

gem cert --add <(curl -Ls

To verify:

gem install brakeman -P MediumSecurity

Brakeman can be added to a Gemfile:

gem "brakeman", :require => false

git clone

git clone git://
cd brakeman
gem build brakeman.gemspec
gem install brakeman-*.gem

Running Brakeman

Just run it with no options in the root directory of our Ruby application:

cd your_rails_app/

It scans the application and gives the output as a report to the command line.
Alternatively, we can supply a path as an option to Brakeman:

brakeman your_rails_app

Even more specifically:

brakeman -p your_rails_app