Quickstart
Introduction
Brakeman is a command-line tool that analyzes the source code of Ruby on Rails applications to find potential security vulnerabilities.
Install Brakeman
Brakeman can be installed as a Ruby gem or via Docker.
Using Rubygems
gem install brakeman
Using Bundler
Add the following to your Gemfile or gems.rb:
gem "brakeman"
Then run
bundle install
Using Docker
To fetch the latest build of Brakeman:
docker pull presidentbeef/brakeman
Building from Source
You will need Git, Ruby, and RubyGems installed.
git clone https://github.com/presidentbeef/brakeman.git
cd brakeman
gem build brakeman.gemspec
gem install brakeman-*.gem
Run Brakeman
Brakeman is run as a command-line tool. The only information it needs to get started is the root directory of the Ruby on Rails application (the directory containing app/, config/, db, etc.) to scan.
Using Rubygems
Either specify the path to the root of your Ruby on Rails application:
brakeman path/to/your/app
Or run it from the root of your Ruby on Rails application:
cd path/to/your/app
brakeman
Using Docker
Either specify the path to the root of your Ruby on Rails application:
docker run -v "path/to/your/app":/code brakeman --color
Or run it from the root of your Ruby on Rails application:
cd path/to/your/app
docker run -v "$(pwd)":/code brakeman --color
The -v option is necessary because the Ruby on Rails application needs to be mounted inside the Docker container.
The --color option is not required, but it makes the default report a little prettier.
Reporting
The default report is text that looks like this:
To write the report out to a file, use -o:
brakeman -o report.text
To specify a different format, use -f:
brakeman -f html -o report
Or just use the extension of the report file:
brakeman -o report.html
The available report types are:
text(default)htmljson(recommended for automation)junit(JUnit XML)markdown(with GitHub support)table(old default)tabs(tab-separated, originally for the Jenkins plugin, deprecated)csv(deprecated)codeclimate(for use with the Code Climate engine)
Next Steps
Once Brakeman is running and producting reports, it’s time to start fixing those issues!
Remediation
Brakeman reports issues in order of “confidence”. You can think of this as a combination of “how likely is this to be a problem?” and “how big of a problem is it?”
Start with the “High” confidence issues and work your way down.
Take a look at our documentation about different warnings.
After fixing an issue, run Brakeman again. Sometimes one issue will mask a different one on the same line of code.
Keep in mind Brakeman can only guess at the meaning of your code. There is plenty of room for “false positives” - warnings reported that are not truly security issues. Please consult with your security team or ask if you are unsure about the meaning of a warning.
Take a look at our documentation for ignoring warnings, if necessary.
Automation
It is cumbersome to manually run Brakeman over and over.
Thankfully, Brakeman is designed to be run in an automated fashion.
The best output format to use with automation is JSON. Great care is taken to make sure the JSON format is stable.
brakeman -o report.json
Note you can output multiple formats at the same time:
brakeman -o report.json -o report.html
The exit codes for Brakeman can be helpful:
- 0 - Everything was fine, no errors or issues
- 1 - Unhandled exception raised
- 3 - Warnings were reported
- 4 - Path did not look like a Rails application, no scan run
- 5 - A newer version of Brakeman is available (when
--ensure-latestis used) - 6 - Non-existent checks were specified
- 7 - Recoverable errors encountered during scan
- 255 - Failure, non-recoverable error
Tools
You can run Brakeman with:
- Guard::Brakeman (runs on file save)
- The ALE plugin for VIM (runs on file save)
- Jenkins continuous integration tool
- Many Brakeman-as-a-Service providers
Documentation for setting up Brakeman in various CI tools: