Toll free (US) : +1 (888) 838-3532 | NYC: +1 (646) 491-6866

Introduction

Brakeman is a security scanner and it detects security vulnerabilities in Rails applications with the help of static analysis. It directly scans through the source code of our application which eliminates the need to set-up our whole application stack in order for using this expedient security tool.
After scanning, it produces a report of all the security issues it has identified.

Advantages

Run It Anytime
Because all that Brakeman needs is the source code and it (Brakeman) can be run at any stage of development: We can generate a new application with rails and immediately scan it using Brakeman.
Better Coverage
It provides more coverage to our application.
It checks the pages which might not be ‘live’ yet and even finds security vulnerabilities before they become exploitable.
Speed
It is much faster than “black box” website scanners which is evident from the fact that it takes very few minutes to scan very large applications.

Limitations

False Positives
Being somewhat suspicious, it runs the risk of leading to many “false positives.”
Unusual Configurations
It assumes a “typical” Rails setup. If some parts of the app do not fall under normal Rails application layout, there are high chances that, that part could be missed while scanning.
Isn’t Omniscient
Brakeman cannot understand everything which is happening in the code. Sometimes, it just makes reasonable assumptions. It may miss things. It may misinterpret things. But it does try its best.
For Issues, check: https://github.com/presidentbeef/brakeman/issues

Installing Brakeman

Gem install

Brakeman gems are now signed, which means the contents of the gem can be verified using the public Brakeman certificate.
Include the below certificates as “trusted” to verify the gem;
# Brakeman

# ruby_parser, etc.

# multijson

To verify:

bundler
Brakeman can be added to a Gemfile:

git clone

Running Brakeman

Just run it with no options in the root directory of our Ruby application:

It scans the application and gives the output as a report to the command line.
Alternatively, we can supply a path as an option to Brakeman:

Even more specifically:

References

BrakemanScanner: https://brakemanscanner.org/docs/
Github: https://github.com/presidentbeef/brakeman
RubyGems: https://rubygems.org/gems/brakeman/versions/3.3.2
RailsCasts: http://railscasts.com/episodes/358-brakeman

WhatsApp chat