Product SiteDocumentation Site

1.3. Static code analysis with Brakeman

Brakeman is a static code scanner for Ruby on Rails applications. It does not require any configuration and can be run out-of-the-box on source of rails application. It performs static code analysis, so it does not require rails application to be set up, but rather parses the source code and looks for common vulnerable patterns.
Brakeman gem is signed, but some of its dependencies are not, so to install run:
$ gem install -P MediumSecurity brakeman
To execute scan on application, run brakeman from rails application repository:
$ brakeman -o report.html --path <path to rails app>
The format of the output is determined by file extension or by -f flag. Currently supported formats are html,json,tabs, csv and text.
Brakeman output contains warnings in format
+------------+-------+--------+-------------------+-----------------------------------------+
| Confidence | Class | Method | Warning Type      | Message                                 |
+------------+-------+--------+-------------------+-----------------------------------------+
| High       | Foo   | bar    | Denial of Service | Symbol conversion from unsafe String .. |
As static code scanner Brakeman does not analyze the behaviour of code when run and lacks execution context (e.g. it does not know about dead code that`s never executed). Therefore Brakeman output usually contains also false warnings. There are 3 confidence levels to help developers determine possible false warnings and prioritize when reviewing the output: High, Medium and Weak.