• Stars
    star
    6,729
  • Rank 5,875 (Top 0.2 %)
  • Language
    Ruby
  • License
    Other
  • Created about 14 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A static analysis security vulnerability scanner for Ruby on Rails applications

Brakeman Logo

Build Status Test Coverage Gitter

Brakeman

Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.

Installation

Using RubyGems:

gem install brakeman

Using Bundler:

group :development do
  gem 'brakeman'
end

Using Docker:

docker pull presidentbeef/brakeman

Using Docker to build from source:

git clone https://github.com/presidentbeef/brakeman.git
cd brakeman
docker build . -t brakeman

Usage

Running locally

From a Rails application's root directory:

brakeman

Outside of Rails root:

brakeman /path/to/rails/application

Running with Docker

From a Rails application's root directory:

docker run -v "$(pwd)":/code presidentbeef/brakeman

With a little nicer color:

docker run -v "$(pwd)":/code presidentbeef/brakeman --color

For an HTML report:

docker run -v "$(pwd)":/code presidentbeef/brakeman -o brakeman_results.html

Outside of Rails root (note that the output file is relative to path/to/rails/application):

docker run -v 'path/to/rails/application':/code presidentbeef/brakeman -o brakeman_results.html

Compatibility

Brakeman should work with any version of Rails from 2.3.x to 7.x.

Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run.

Basic Options

For a full list of options, use brakeman --help or see the OPTIONS.md file.

To specify an output file for the results:

brakeman -o output_file

The output format is determined by the file extension or by using the -f option. Current options are: text, html, tabs, json, junit, markdown, csv, codeclimate, and sonar.

Multiple output files can be specified:

brakeman -o output.html -o output.json

To output to both a file and to the console, with color:

brakeman --color -o /dev/stdout -o output.json

To suppress informational warnings and just output the report:

brakeman -q

Note all Brakeman output except reports are sent to stderr, making it simple to redirect stdout to a file and just get the report.

To see all kinds of debugging information:

brakeman -d

Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):

brakeman -x DefaultRoutes

Multiple checks should be separated by a comma:

brakeman -x DefaultRoutes,Redirect

To do the opposite and only run a certain set of tests:

brakeman -t SQL,ValidationRegex

If Brakeman is running a bit slow, try

brakeman --faster

This will disable some features, but will probably be much faster (currently it is the same as --skip-libs --no-branching). WARNING: This may cause Brakeman to miss some vulnerabilities.

By default, Brakeman will return a non-zero exit code if any security warnings are found or scanning errors are encountered. To disable this:

brakeman --no-exit-on-warn --no-exit-on-error

To skip certain files or directories that Brakeman may have trouble parsing, use:

brakeman --skip-files file1,/path1/,path2/

To compare results of a scan with a previous scan, use the JSON output option and then:

brakeman --compare old_report.json

This will output JSON with two lists: one of fixed warnings and one of new warnings.

Brakeman will ignore warnings if configured to do so. By default, it looks for a configuration file in config/brakeman.ignore. To create and manage this file, use:

brakeman -I

Warning information

See warning_types for more information on the warnings reported by this tool.

Warning context

The HTML output format provides an excerpt from the original application source where a warning was triggered. Due to the processing done while looking for vulnerabilities, the source may not resemble the reported warning and reported line numbers may be slightly off. However, the context still provides a quick look into the code which raised the warning.

Confidence levels

Brakeman assigns a confidence level to each warning. This provides a rough estimate of how certain the tool is that a given warning is actually a problem. Naturally, these ratings should not be taken as absolute truth.

There are three levels of confidence:

  • High - Either this is a simple warning (boolean value) or user input is very likely being used in unsafe ways.
  • Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.
  • Weak - Typically means user input was indirectly used in a potentially unsafe manner.

To only get warnings above a given confidence level:

brakeman -w3

The -w switch takes a number from 1 to 3, with 1 being low (all warnings) and 3 being high (only highest confidence warnings).

Configuration files

Brakeman options can be stored and read from YAML files.

To simplify the process of writing a configuration file, the -C option will output the currently set options:

$ brakeman -C --skip-files plugins/
---
:skip_files:
- plugins/

Options passed in on the commandline have priority over configuration files.

The default config locations are ./config/brakeman.yml, ~/.brakeman/config.yml, and /etc/brakeman/config.yml

The -c option can be used to specify a configuration file to use.

Continuous Integration

There is a plugin available for Jenkins/Hudson.

For even more continuous testing, try the Guard plugin.

There are a couple GitHub Actions available.

Building

git clone git://github.com/presidentbeef/brakeman.git
cd brakeman
gem build brakeman.gemspec
gem install brakeman*.gem

Who is Using Brakeman?

..and more!

Homepage/News

Website: http://brakemanscanner.org/

Twitter: https://twitter.com/brakeman

Chat: https://gitter.im/presidentbeef/brakeman

License

Brakeman is free for non-commercial use.

See COPYING for details.

More Repositories

1

inject-some-sql

Have fun injecting SQL into a Ruby on Rails application!
Ruby
244
star
2

brat

Brat is a little language for people who don't like to be told what to do.
C
88
star
3

github-auto-locker

Automatically lock old, closed GitHub issues
Ruby
29
star
4

kams

Kams is a Ruby MUD server which can be used to create and run online text-based worlds.
Ruby
16
star
5

the_little_streamer

A little Sinatra application to stream your music
Ruby
14
star
6

dumb-numb-set

A dumb set for positive integers
Ruby
8
star
7

brakeman-site

Website for Brakeman
JavaScript
6
star
8

ffi-gdbm

gdbm library using Ruby-FFI, particularly for JRuby
Ruby
6
star
9

brakeman-jenkins-plugin

A Brakeman plugin for the Hudson/Jenkins continuous integration tool
Java
6
star
10

fll-site

Source for the Fledgling Languages List
HTML
5
star
11

worst-forums-ever

Demo code for showing web vulnerabilities
Ruby
4
star
12

neko_tutorial

A tutorial for using the Neko programming language
3
star
13

dino_jump

Jumping dino game for small humans
Ruby
3
star
14

brat-gtk

Brat library to use gtk-server
Lua
2
star
15

twitter-journal

Use Twitter as a journal frontend
Ruby
2
star
16

done_log

Dumb daily log keeping
Ruby
2
star
17

devseccon

Ruby
2
star
18

personal-site

CSS
2
star
19

breakman

Did you mean "brakeman"?
Ruby
2
star
20

ruby2brat

Convert Ruby source into Brat
Ruby
2
star
21

rails-security-history

History of security in the Ruby on Rails web framework
Ruby
2
star
22

melon

Application communication paradigm for MANETs (PhD project)
Ruby
2
star
23

brat-doc

Simple documentation generation for Brat
2
star
24

jruby-realpath-error

Ruby
1
star
25

resume

My resume
1
star
26

bratpack

Silly web framework for Brat
1
star
27

my_ocean

Some scripts for managing Digital Ocean droplets
Ruby
1
star
28

sqwee

[OLD AND BUSTED] Sqwee was a simple, single-user, wiki-like web "engine" for quickly creating and editing webpages.
C
1
star
29

github-reminder

Automatic reminders about GitHub issues that need attention
Ruby
1
star
30

not-galaga

LΓ–VE Galaga-type clone
Lua
1
star
31

presidentbeef.github.com

Blog
HTML
1
star
32

advent_of_code_2019

Advent of Code 2019 - Pony
Pony
1
star
33

vim-color

Take care of outputting syntax highlighting from Vim
Ruby
1
star
34

try-brat

A little place to try Brat online
CSS
1
star
35

arduino_stuff

Place to keep my sketches
Arduino
1
star
36

ruby_crypto_examples

Examples of cryptography operations using Ruby's standard library.
Ruby
1
star