--- layout: default ---

Blog Archive

Complete history of Brakeman releases and announcements

2025

Jul 18

Brakeman 7.1.0 Released

Haml 6 Support

Apr 04

Brakeman 7.0.2 Released

Error on Empty Environment Variable

Apr 03

Brakeman 7.0.1 Released

Fewer Code Evaluation Warnings

Jan 10

Brakeman LSP Support

Announcing the ruby-lsp-brakeman project!

2024

Dec 30

Brakeman 7.0.0 Released

Happy new year!

Oct 18

Brakeman 6.2.2 Released

Small release!

Aug 22

Brakeman 6.2.1 Released

Lots of great contributions in this release, thanks!

Feb 01

Brakeman 6.1.2 Released

Finally, just a small release!

2023

Dec 04

Brakeman 6.1.0 Released

It’s been a while!

Jul 20

Brakeman 6.0.1 Released

Very tiny release this time!

May 24

Brakeman 6.0.0 Released

Brakeman 6.0 drops parsing support for Ruby 1.8/1.9, and raises the minimum Ruby version to run Brakeman to 3.0.

Feb 21

Brakeman 5.4.1 Released

Several changes in this release are updates to Brakeman’s open redirect check.

2022

Nov 17

Brakeman 5.4.0 Released

Special thanks to Bart de Water and Ryan Cartner for proposing new rules!

Aug 09

Brakeman 5.3.0 Released

This release adds CWE information to reports - the first JSON report change in a long time!

May 01

Brakeman 5.2.3 Released

Hash Shorthand Syntax

Apr 06

Brakeman 5.2.2 Released

Equality Checks in Conditions

Jan 30

Brakeman 5.2.1 Released

Oops! Minor emergency fix release.

2021

Dec 15

Brakeman 5.2.0 Released

Initial Rails 7 Support

Oct 28

Brakeman 5.1.2 Released

Here’s a small bugfix release with a big parser update!

Jul 19

Brakeman 5.1.0 Released

This is a huge release! (So many changes, I had to look up how to nest lists in Markdown…)

Jun 08

Brakeman 5.0.4 Released

This is a tiny bugfix release!

Apr 27

Brakeman 5.0.1 Released

Has it really been three months since Brakeman 5.0? Yikes!

Jan 26

Brakeman 5.0.0 Released

It has been a long time coming, but it is finally here! Lots of changes in this one…

2020

Dec 24

Brakeman 4.10.1 Released

This releases fixes Ruby 3.0 compatibility (meaning running under 3.0, new syntax is not supported yet).

Sep 28

Brakeman 4.10.0 Released

This release introduces a new report format!

Sep 04

Brakeman 4.9.1 Released

This release was prompted by the release of ruby_parser 3.15.0, which includes a lot of fixes and improvements, including support for some Ruby 2.7 syntax....

Aug 27

Brakeman Turns Ten!

Hi! Justin Collins here with a rare non-release-related Brakeman post.

Aug 04

Brakeman 4.9.0 Released

It’s been a while! This will (probably) be the last minor release before 5.0.

May 12

Brakeman 4.8.2 Released

This release introduces a new option and two new checks!

Apr 06

Brakeman 4.8.1 Released

Just a little bug fix release.

Feb 18

Brakeman 4.8.0 Released

First release of 2020! This release comes with a brand new report format: JUnit XML.

2019

Nov 25

Brakeman 4.7.2 Released

Some minor fixes for a minor release.

Oct 14

Brakeman 4.7.1 Released

This release includes a security fix in a dependency; please see below.

Oct 14

Brakeman 4.7.0 Released

This release updates Haml support to Haml 5.x!

Jul 24

Brakeman 4.6.1 Released

This release corrects a typo in the reverse tabnabbing warning message.

Jul 23

Brakeman 4.6.0 Released

This release has two new checks!

May 11

Brakeman 4.5.1 Released

This release adds initial support for Rails 6!

Mar 15

Brakeman 4.5.0 Released

This release drops support for running Brakeman with versions of Ruby older than 2.3.0. As always, scanning code with older syntax continues to be supported....

Jan 17

Brakeman 4.4.0 Released

Happy new year and apologies for the delay in releases! Brakeman should now return to the normal 1-2 month release cycle. There are already pull...

2018

Aug 30

Happy 8th Birthday, Brakeman!

In celebration of Brakeman’s 8th birthday this week, we’d like to share an update to keep you apprised of what we’ve been up to since...

Jun 28

Brakeman Has Been Acquired by Synopsys

We are excited to announce Brakeman Pro has been acquired by Synopsys.

Jun 06

Brakeman 4.3.1 Released

Mostly false positive reduction and bug fixes in this one!

May 10

Brakeman 4.3.0 Released

Did you know we recently broke 11 million gem downloads? Wow!

Mar 23

Brakeman 4.2.1 Released

This is a small release to add warnings for CVE-2018-3741 and CVE-2018-8048.

Feb 21

Brakeman 4.2.0 Released

First release of 2018!

2017

Dec 18

Brakeman 4.1.1 Released

Just a small fix-up release!

Dec 12

Brakeman 4.1.0 Released

Wow, it has been too long since the last release!

Sep 25

Brakeman 4.0 Released!

This release has breaking changes!

Aug 15

Brakeman 3.7.1/3.7.2 Released

Just a little release. Next up: 4.0!

Jun 29

Brakeman 3.7.0 Released

Performance Improvement with Hash/Array Accesses

May 19

Brakeman 3.6.2 Released

Rake Option Removed

Mar 24

Brakeman 3.6.1 Released

This is a small bug fix release to fix an issue when using --compare.

Mar 22

Brakeman 3.6.0 Released

Case Expressions

Jan 31

Brakeman 3.5.0 Released

SQL Injection Improvements

2016

Nov 02

Brakeman 3.4.1 Released

Configurable engines path (Jason Yeo) Check CSRF setting in direct subclasses of ActionController::Base (Jason Yeo) Pull Ruby version from .ruby-version or Gemfile Use Ruby version...

Sep 07

Brakeman 3.4.0 Released

Oops! Brakeman's 6th birthday was August 27th! 🎉 6 years, 61 contributors, 91 releases, 3.3 million gem downloads 🎉— Brakeman Scanner (@brakeman) September 5, 2016...

Aug 12

Brakeman 3.3.4/3.3.5 Released

This is a quick release to add warnings for CVE-2016-6316 and CVE-2016-6317. There was a bug in 3.3.4 that affected debug output which has been...

Jul 20

Brakeman 3.3.3 Released

This release is mostly bug fixes and internal improvements, although it may find more warnings due to indexing of view helpers.

Jun 10

Brakeman 3.3.2 Released

This is a bug fix release.

Jun 03

Brakeman 3.3.1 Released

ERB Template Line Numbers

May 05

Brakeman 3.3.0 Released

Brakeman 3.3.0 introduces a new packaging method for Brakeman which vendors all dependencies and does not include any gem dependencies in the gemspec. Please test...

Feb 24

Brakeman 3.2.1 Released

As pointed out by Benjamin Fleischer, there was a lingering use of multi_json in bin/brakeman. This only caused a problem when using the --compare option....

Feb 24

Brakeman 3.2.0 Released

This release sheds a couple dependencies and adds support for new Ruby 2.3 syntax.

Jan 28

Brakeman 3.1.5 Released

This release adds warnings for the latest Rails CVEs.

2015

Dec 22
Dec 02

Brakeman 3.1.3 Released

This is a small bug fix release, except for one major new feature: Brakeman is now available as an engine on the new Code Climate...

Oct 28

Brakeman 3.1.2 Released

This release is mostly bug fixes and false positive reduction. However, please note fingerprints for inline render warnings will change.

Sep 23

Brakeman 3.1.1 Released

This release includes two new checks and a number of bug fixes.

Aug 30

Brakeman 3.1.0 Released

There are several changes in this release which may affect consumers of the JSON report as well as anyone relying on the ignore configuration file....

Jun 19

Brakeman 3.0.5 Released

And this is why you don’t rush out releases.

Jun 18

Brakeman 3.0.4 Released

This is a small release prompted by Tuesday’s CVE announcements. New checks for the CVEs directly in Rails have been added, and can also test...

Apr 30

Brakeman 3.0.3 Released

This is mostly a bug fix release, but does introduce a new warning code for when protect_from_forgery is not set to raise exceptions in Rails...

Mar 09

Brakeman 3.0.2 Released

This is entirely a bugfix release, no new features. However, the fixes may cause line numbers and warning fingerprints to change.

Jan 22

Brakeman 3.0.1 Released

This is a small release, but may change some fingerprints of warnings in libraries. Also, the Slim dependency has been removed due to conflicts. See...

Jan 02

Brakeman 3.0.0 Released

This is a major version release of Brakeman which introduces some backwards-incompatible changes. Very likely this release will cause many changes in reports, including fingerprints...

2014

Oct 13

Brakeman 2.6.3 Released

This is mostly a bug fix release, but does include new support for optional checks along with an optional check for unscoped calls to find....

Aug 27

Brakeman is Four Years Old!

Brakeman was first publicly released four years ago today!

Aug 18

Brakeman 2.6.2 Released

This release is mostly bug fixes and updates, but does include two new options.

Jul 02

Brakeman 2.6.1 Released

This is a tiny release in response to today’s CVEs.

Jun 06

Brakeman 2.6.0 Released

This release introduces significant changes to how and when files are parsed, which may introduce changes in existing warnings and errors.

Apr 30

Brakeman 2.5.0 Released

This release includes a number of false positive fixes, more Rails 4 support, a new check for regular expression denial of service, and Markdown output...

Mar 22

Brakeman 2.4.3 Released

A new gem version has been released because the 2.4.2 gem was not signed. No other changes were introduced.

Mar 20

Brakeman 2.4.2 Released

This release is only internal changes and bug fixes, but some scans may see significant time and memory improvements.

Feb 19

Brakeman 2.4.1 Released

This release only adds checks for the latest CVEs, no other changes.

Feb 05

Brakeman 2.4.0 Released

This is a fairly big release with some significant changes (especially for SQL injection warnings), so please test carefully. Existing warnings and fingerprints may change....

2013

Dec 12

Brakeman 2.3.1 Released

Two minor bugs were fixed in this release. Please see the 2.3.0 release post if you are upgrading from an earlier version.

Dec 11

Brakeman 2.3.0 Released

This is a small release, but adds several new warning codes for the latest Rails CVEs and a new check for uses of permit!. Also,...

Oct 28

Brakeman 2.2.0 Released

This is a small release, with some bug and false positive fixes alongside initial support for Rails engines and a new check for detailed exceptions....

Sep 18

Brakeman 2.1.2 Released - Important Security Update

Important: Contrary to the “Brakeman Philosophy,” there is one situation in which Brakeman attempts to load files from an application. This is a security risk...

Aug 21

Brakeman 2.1.1 Released

This is a small bug fix release. The only expected changes in warnings are for dangerous attributes in attr_accessible and cross site scripting involving model...

Jul 17

Brakeman 2.1.0 Released

Brakeman recently passed 250,000 downloads on RubyGems.org! Thanks to everyone who has contributed!

May 20

Brakeman 2.0.0 Released

Brakeman 2.0 is here! While it does include a lot of updates, the “2.0” is mostly to indicate this release includes some changes which may...

Apr 05

Brakeman 1.9.5 Released

As planned, Brakeman 1.9.5 is mostly internal bug fixes and improvements, with the one exception being a new check for symbol creation from user input....

Mar 18

Brakeman 1.9.4 Released

Another release forced out early due to Rails vulnerabilities reported today.

Mar 01

Brakeman 1.9.3 Released

Warning Fingerprints and New Identifiers

Feb 13

Brakeman 1.9.2 Released

This release is almost entirely enhancements to old checks or new checks for recent vulnerabilities. New features in the next release, I promise.

Jan 18

Brakeman 1.9.1 Released

This released was forced due to messed up dependencies with Brakeman 1.9.0 and Ruby2Ruby - my fault entirely! As such, this release does not match...

2012

Dec 25

Brakeman 1.9.0 Released

Happy Eggnog Riot day!

Nov 13

Brakeman 1.8.3 Released

This is primarily a false positive reduction release. One major change is the change in dependency from the json_pure gem to multi_json.

Oct 17

Brakeman 1.8.2 Released

This is a bugfix release, in particular fixing rescanning (used by guard-brakeman).

Sep 24
Sep 04

Brakeman 1.8.0 Released

Relative Paths in Reports

Aug 13

Brakeman 1.7.1 Released

This is a small release to add checks for the Rails vulnerabilities reported last week.

Jul 31

Brakeman 1.7.0 Released

This release includes improvements to Rails 3 route processing, better performance, several bug fixes, and more!

Jun 12

Brakeman 1.6.2 Released

Besides checks for the latest CVEs, this release includes a slightly improved redirect check, noiser output with --compare, and better handling of before_filter.

May 23

Brakeman 1.6.1 Released

Wow, it’s been over a month since the last release!

Apr 20

Brakeman 1.6 Released

A lot of code has changed in this release, particularly with the removal of the Ruport library for reporting. While Ruport worked pretty well, it...

Apr 10

Brakeman 1.5.3 Released

A considerable number of bugs and odd cases have been fixed with this release, and one new check has been added. Upgrading is always recommended!...

Mar 22

Brakeman 1.5.2 Released - Important Fixes

This is update includes some important fixes. All users of the rails_xss plugin are particularly encouraged to upgrade.

Mar 22

Brakeman Jenkins Plugin 0.7 Released

The Jenkins/Hudson plugin which tracks, displays, and alerts on Brakeman warnings has been updated to work with the latest static analysis core plugin. In particular,...

Mar 05

Brakeman 1.5.1 Released

After the excitment yesterday with a mass assignment vulnerability being exploited in a very public manner on Github, interest in Brakeman has skyrocketed.

Mar 01

Brakeman 1.5.0 Released

A release was forced today because two new Rails vulnerabilities were reported (the first since November):

Feb 25

Brakeman 1.4.0 Released

This is not a big release, but it does add a new check. Also, processing for ERB templates with the rails_xss plugin has changed, so...

Feb 08

Brakeman 1.3.0 Released

Thanks to everyone who reported problems and suggestions this time around!

Jan 26

Brakeman 1.2.2 Released

No Progress Option

Jan 20

Brakeman 1.2.1 Released

This is essentially just a bugfix release, but due to the fixes for link_to warnings, there is a good possibility the number of reported warnings...

Jan 13

Brakeman 1.2 Released

First Brakeman release of 2012!

2011

Dec 21

Brakeman 1.1 Released

This was supposed to be a 1.0.1 release, but quite a bit of code changed.

Dec 08

Brakeman 1.0 Released!

While the step up to 1.0 was essentially forced by major changes since 0.9.2, this is still an important release for Brakeman. Internally, Brakeman is...

Dec 05

Brakeman 1.0 Release Candidate Available

Because there have been some major changes since 0.9.2, I have released a release candidate just in case there are problems. Please try it out...

Nov 21
Nov 18

Brakeman 0.9.1 Released

A new vulnerability was disclosed yesterday in the Rails translate helper.

Nov 16
Nov 04
Oct 25

Brakeman 0.8.3 Released

Changes for 0.8.3:

Oct 21

Brakeman Plugin 'Officially' Available for Jenkins

While a Brakeman plugin for the Jenkins/Hudson continuous integration tool has been available since January, thanks to some prodding the plugin is now available through...

Sep 15

Brakeman 0.8.0 Released

Change list for Brakeman 0.8.0:

Aug 27

One Year Anniversary

One year ago, Brakeman 0.0.1 was released as a gem. Then it was promptly yanked and replaced with Brakeman 0.0.2.