2025
Brakeman 7.1.0 Released
Haml 6 Support
Brakeman 7.0.2 Released
Error on Empty Environment Variable
Brakeman 7.0.1 Released
Fewer Code Evaluation Warnings
Brakeman LSP Support
Announcing the ruby-lsp-brakeman project!
2024
Brakeman 7.0.0 Released
Happy new year!
Brakeman 6.2.2 Released
Small release!
Brakeman 6.2.1 Released
Lots of great contributions in this release, thanks!
Brakeman 6.1.2 Released
Finally, just a small release!
2023
Brakeman 6.1.0 Released
It’s been a while!
Brakeman 6.0.1 Released
Very tiny release this time!
Brakeman 6.0.0 Released
Brakeman 6.0 drops parsing support for Ruby 1.8/1.9, and raises the minimum Ruby version to run Brakeman to 3.0.
Brakeman 5.4.1 Released
Several changes in this release are updates to Brakeman’s open redirect check.
2022
Brakeman 5.4.0 Released
Special thanks to Bart de Water and Ryan Cartner for proposing new rules!
Brakeman 5.3.0 Released
This release adds CWE information to reports - the first JSON report change in a long time!
Brakeman 5.2.3 Released
Hash Shorthand Syntax
Brakeman 5.2.2 Released
Equality Checks in Conditions
Brakeman 5.2.1 Released
Oops! Minor emergency fix release.
2021
Brakeman 5.2.0 Released
Initial Rails 7 Support
Brakeman 5.1.2 Released
Here’s a small bugfix release with a big parser update!
Brakeman 5.1.0 Released
This is a huge release! (So many changes, I had to look up how to nest lists in Markdown…)
Brakeman 5.0.4 Released
This is a tiny bugfix release!
Brakeman 5.0.1 Released
Has it really been three months since Brakeman 5.0? Yikes!
Brakeman 5.0.0 Released
It has been a long time coming, but it is finally here! Lots of changes in this one…
2020
Brakeman 4.10.1 Released
This releases fixes Ruby 3.0 compatibility (meaning running under 3.0, new syntax is not supported yet).
Brakeman 4.10.0 Released
This release introduces a new report format!
Brakeman 4.9.1 Released
This release was prompted by the release of ruby_parser 3.15.0, which includes a lot of fixes and improvements, including support for some Ruby 2.7 syntax....
Brakeman Turns Ten!
Hi! Justin Collins here with a rare non-release-related Brakeman post.
Brakeman 4.9.0 Released
It’s been a while! This will (probably) be the last minor release before 5.0.
Brakeman 4.8.2 Released
This release introduces a new option and two new checks!
Brakeman 4.8.1 Released
Just a little bug fix release.
Brakeman 4.8.0 Released
First release of 2020! This release comes with a brand new report format: JUnit XML.
2019
Brakeman 4.7.2 Released
Some minor fixes for a minor release.
Brakeman 4.7.1 Released
This release includes a security fix in a dependency; please see below.
Brakeman 4.7.0 Released
This release updates Haml support to Haml 5.x!
Brakeman 4.6.1 Released
This release corrects a typo in the reverse tabnabbing warning message.
Brakeman 4.6.0 Released
This release has two new checks!
Brakeman 4.5.1 Released
This release adds initial support for Rails 6!
Brakeman 4.5.0 Released
This release drops support for running Brakeman with versions of Ruby older than 2.3.0. As always, scanning code with older syntax continues to be supported....
Brakeman 4.4.0 Released
Happy new year and apologies for the delay in releases! Brakeman should now return to the normal 1-2 month release cycle. There are already pull...
2018
Happy 8th Birthday, Brakeman!
In celebration of Brakeman’s 8th birthday this week, we’d like to share an update to keep you apprised of what we’ve been up to since...
Brakeman Has Been Acquired by Synopsys
We are excited to announce Brakeman Pro has been acquired by Synopsys.
Brakeman 4.3.1 Released
Mostly false positive reduction and bug fixes in this one!
Brakeman 4.3.0 Released
Did you know we recently broke 11 million gem downloads? Wow!
Brakeman 4.2.1 Released
This is a small release to add warnings for CVE-2018-3741 and CVE-2018-8048.
Brakeman 4.2.0 Released
First release of 2018!
2017
Brakeman 4.1.1 Released
Just a small fix-up release!
Brakeman 4.1.0 Released
Wow, it has been too long since the last release!
Brakeman 4.0 Released!
This release has breaking changes!
Brakeman 3.7.1/3.7.2 Released
Just a little release. Next up: 4.0!
Brakeman 3.7.0 Released
Performance Improvement with Hash/Array Accesses
Brakeman 3.6.2 Released
Rake Option Removed
Brakeman 3.6.1 Released
This is a small bug fix release to fix an issue when using --compare.
Brakeman 3.6.0 Released
Case Expressions
Brakeman 3.5.0 Released
SQL Injection Improvements
2016
Brakeman 3.4.1 Released
Configurable engines path (Jason Yeo) Check CSRF setting in direct subclasses of ActionController::Base (Jason Yeo) Pull Ruby version from .ruby-version or Gemfile Use Ruby version...
Brakeman 3.4.0 Released
Oops! Brakeman's 6th birthday was August 27th! 🎉 6 years, 61 contributors, 91 releases, 3.3 million gem downloads 🎉— Brakeman Scanner (@brakeman) September 5, 2016...
Brakeman 3.3.4/3.3.5 Released
This is a quick release to add warnings for CVE-2016-6316 and CVE-2016-6317. There was a bug in 3.3.4 that affected debug output which has been...
Brakeman 3.3.3 Released
This release is mostly bug fixes and internal improvements, although it may find more warnings due to indexing of view helpers.
Brakeman 3.3.2 Released
This is a bug fix release.
Brakeman 3.3.1 Released
ERB Template Line Numbers
Brakeman 3.3.0 Released
Brakeman 3.3.0 introduces a new packaging method for Brakeman which vendors all dependencies and does not include any gem dependencies in the gemspec. Please test...
Brakeman 3.2.1 Released
As pointed out by Benjamin Fleischer, there was a lingering use of multi_json in bin/brakeman. This only caused a problem when using the --compare option....
Brakeman 3.2.0 Released
This release sheds a couple dependencies and adds support for new Ruby 2.3 syntax.
Brakeman 3.1.5 Released
This release adds warnings for the latest Rails CVEs.
2015
Brakeman 3.1.4 Released
Brakeman Pi!
Brakeman 3.1.3 Released
This is a small bug fix release, except for one major new feature: Brakeman is now available as an engine on the new Code Climate...
Brakeman 3.1.2 Released
This release is mostly bug fixes and false positive reduction. However, please note fingerprints for inline render warnings will change.
Brakeman 3.1.1 Released
This release includes two new checks and a number of bug fixes.
Brakeman 3.1.0 Released
There are several changes in this release which may affect consumers of the JSON report as well as anyone relying on the ignore configuration file....
Brakeman 3.0.5 Released
And this is why you don’t rush out releases.
Brakeman 3.0.4 Released
This is a small release prompted by Tuesday’s CVE announcements. New checks for the CVEs directly in Rails have been added, and can also test...
Brakeman 3.0.3 Released
This is mostly a bug fix release, but does introduce a new warning code for when protect_from_forgery is not set to raise exceptions in Rails...
Brakeman 3.0.2 Released
This is entirely a bugfix release, no new features. However, the fixes may cause line numbers and warning fingerprints to change.
Brakeman 3.0.1 Released
This is a small release, but may change some fingerprints of warnings in libraries. Also, the Slim dependency has been removed due to conflicts. See...
Brakeman 3.0.0 Released
This is a major version release of Brakeman which introduces some backwards-incompatible changes. Very likely this release will cause many changes in reports, including fingerprints...
2014
Brakeman 2.6.3 Released
This is mostly a bug fix release, but does include new support for optional checks along with an optional check for unscoped calls to find....
Brakeman is Four Years Old!
Brakeman was first publicly released four years ago today!
Brakeman 2.6.2 Released
This release is mostly bug fixes and updates, but does include two new options.
Brakeman 2.6.1 Released
This is a tiny release in response to today’s CVEs.
Brakeman 2.6.0 Released
This release introduces significant changes to how and when files are parsed, which may introduce changes in existing warnings and errors.
Brakeman 2.5.0 Released
This release includes a number of false positive fixes, more Rails 4 support, a new check for regular expression denial of service, and Markdown output...
Brakeman 2.4.3 Released
A new gem version has been released because the 2.4.2 gem was not signed. No other changes were introduced.
Brakeman 2.4.2 Released
This release is only internal changes and bug fixes, but some scans may see significant time and memory improvements.
Brakeman 2.4.1 Released
This release only adds checks for the latest CVEs, no other changes.
Brakeman 2.4.0 Released
This is a fairly big release with some significant changes (especially for SQL injection warnings), so please test carefully. Existing warnings and fingerprints may change....
2013
Brakeman 2.3.1 Released
Two minor bugs were fixed in this release. Please see the 2.3.0 release post if you are upgrading from an earlier version.
Brakeman 2.3.0 Released
This is a small release, but adds several new warning codes for the latest Rails CVEs and a new check for uses of permit!. Also,...
Brakeman 2.2.0 Released
This is a small release, with some bug and false positive fixes alongside initial support for Rails engines and a new check for detailed exceptions....
Brakeman 2.1.2 Released - Important Security Update
Important: Contrary to the “Brakeman Philosophy,” there is one situation in which Brakeman attempts to load files from an application. This is a security risk...
Brakeman 2.1.1 Released
This is a small bug fix release. The only expected changes in warnings are for dangerous attributes in attr_accessible and cross site scripting involving model...
Brakeman 2.1.0 Released
Brakeman recently passed 250,000 downloads on RubyGems.org! Thanks to everyone who has contributed!
Brakeman 2.0.0 Released
Brakeman 2.0 is here! While it does include a lot of updates, the “2.0” is mostly to indicate this release includes some changes which may...
Brakeman 1.9.5 Released
As planned, Brakeman 1.9.5 is mostly internal bug fixes and improvements, with the one exception being a new check for symbol creation from user input....
Brakeman 1.9.4 Released
Another release forced out early due to Rails vulnerabilities reported today.
Brakeman 1.9.3 Released
Warning Fingerprints and New Identifiers
Brakeman 1.9.2 Released
This release is almost entirely enhancements to old checks or new checks for recent vulnerabilities. New features in the next release, I promise.
Brakeman 1.9.1 Released
This released was forced due to messed up dependencies with Brakeman 1.9.0 and Ruby2Ruby - my fault entirely! As such, this release does not match...
2012
Brakeman 1.9.0 Released
Happy Eggnog Riot day!
Brakeman 1.8.3 Released
This is primarily a false positive reduction release. One major change is the change in dependency from the json_pure gem to multi_json.
Brakeman 1.8.2 Released
This is a bugfix release, in particular fixing rescanning (used by guard-brakeman).
Brakeman 1.8.1 Released
Bug fixes!
Brakeman 1.8.0 Released
Relative Paths in Reports
Brakeman 1.7.1 Released
This is a small release to add checks for the Rails vulnerabilities reported last week.
Brakeman 1.7.0 Released
This release includes improvements to Rails 3 route processing, better performance, several bug fixes, and more!
Brakeman 1.6.2 Released
Besides checks for the latest CVEs, this release includes a slightly improved redirect check, noiser output with --compare, and better handling of before_filter.
Brakeman 1.6.1 Released
Wow, it’s been over a month since the last release!
Brakeman 1.6 Released
A lot of code has changed in this release, particularly with the removal of the Ruport library for reporting. While Ruport worked pretty well, it...
Brakeman 1.5.3 Released
A considerable number of bugs and odd cases have been fixed with this release, and one new check has been added. Upgrading is always recommended!...
Brakeman 1.5.2 Released - Important Fixes
This is update includes some important fixes. All users of the rails_xss plugin are particularly encouraged to upgrade.
Brakeman Jenkins Plugin 0.7 Released
The Jenkins/Hudson plugin which tracks, displays, and alerts on Brakeman warnings has been updated to work with the latest static analysis core plugin. In particular,...
Brakeman 1.5.1 Released
After the excitment yesterday with a mass assignment vulnerability being exploited in a very public manner on Github, interest in Brakeman has skyrocketed.
Brakeman 1.5.0 Released
A release was forced today because two new Rails vulnerabilities were reported (the first since November):
Brakeman 1.4.0 Released
This is not a big release, but it does add a new check. Also, processing for ERB templates with the rails_xss plugin has changed, so...
Brakeman 1.3.0 Released
Thanks to everyone who reported problems and suggestions this time around!
Brakeman 1.2.2 Released
No Progress Option
Brakeman 1.2.1 Released
This is essentially just a bugfix release, but due to the fixes for link_to warnings, there is a good possibility the number of reported warnings...
Brakeman 1.2 Released
First Brakeman release of 2012!
2011
Brakeman 1.1 Released
This was supposed to be a 1.0.1 release, but quite a bit of code changed.
Brakeman 1.0 Released!
While the step up to 1.0 was essentially forced by major changes since 0.9.2, this is still an important release for Brakeman. Internally, Brakeman is...
Brakeman 1.0 Release Candidate Available
Because there have been some major changes since 0.9.2, I have released a release candidate just in case there are problems. Please try it out...
Brakeman 0.9.2 Released
Changes:
Brakeman 0.9.1 Released
A new vulnerability was disclosed yesterday in the Rails translate helper.
Brakeman 0.9.0 Released
Changes:
Brakeman 0.8.4 Released
Changes:
Brakeman 0.8.3 Released
Changes for 0.8.3:
Brakeman Plugin 'Officially' Available for Jenkins
While a Brakeman plugin for the Jenkins/Hudson continuous integration tool has been available since January, thanks to some prodding the plugin is now available through...
Brakeman 0.8.0 Released
Change list for Brakeman 0.8.0:
One Year Anniversary
One year ago, Brakeman 0.0.1 was released as a gem. Then it was promptly yanked and replaced with Brakeman 0.0.2.