Ruby on Rails Static Analysis Security Tool

Contributing to Brakeman

The simplest way to contribute to the improvement of Brakeman is to run it against your own applications and then report any issues here.

Suggestions are welcome, too!

Testing on Different Platforms

Brakeman should work on most platforms without a problem. It is typically tested against MRI 1.8.7 and 1.9.3, so any problems outside those two should definitely be reported.

Contributing Features

New feature implementations should be submitted as a pull request on GitHub.

Contributing Documentation

Documentation patches can be submitted as pull requests to the brakeman-site repository.

False Negatives and False Positives

If you have code that raises warnings when it shouldn’t, or does not raise warnings when it should, please consider reporting them with code which reproduces the problem.

See here for how to add tests to demonstrate these issues.

Creating New Checks

Each check that Brakeman runs is a separate class contained in lib/brakeman/checks/check_*.rb. Some of these are very simple. For example, see the StripTags check.

New checks can be added simply by writing a new check and placing it in that directory. For best results, subclass from BaseCheck and follow the naming convention of starting the class name with Check.

Reporting Success

If you are happily using Brakeman, consider sending a tweet to @Brakeman.