Convert Figma logo to code with AI

presidentbeef logobrakeman

A static analysis security vulnerability scanner for Ruby on Rails applications

7,002
729
7,002
103
View on GitHub

Top Related Projects

rubocop's avatar

rubocop

12,626

A Ruby static code analyzer and formatter, based on the community Ruby style guide.

ankane's avatar

pghero

8,234

A performance dashboard for Postgres

thoughtbot's avatar

guides

9,468

A guide for programming in style.

Quick Overview

Brakeman is an open-source static analysis security vulnerability scanner for Ruby on Rails applications. It examines application code to detect potential security issues and provides detailed reports to help developers identify and fix vulnerabilities before they can be exploited.

Pros

  • Automated security scanning, reducing manual effort and human error
  • Integrates easily with CI/CD pipelines for continuous security checks
  • Provides detailed reports with explanations and remediation suggestions
  • Regularly updated to cover new security vulnerabilities and Rails features

Cons

  • May produce false positives, requiring manual verification
  • Limited to Ruby on Rails applications only
  • Can be resource-intensive for large codebases
  • Requires some expertise to interpret and act on complex findings

Code Examples

  1. Basic usage:
require 'brakeman'

tracker = Brakeman.run("./my_rails_app")
puts tracker.report.to_s

This code runs Brakeman on a Rails application and prints the report.

  1. Customizing the scan:
Brakeman.run(
  app_path: "./my_rails_app",
  ignore_file: "config/brakeman.ignore",
  output_files: ["brakeman_report.html", "brakeman_report.json"],
  quiet: true
)

This example demonstrates how to customize the scan with an ignore file, multiple output formats, and quiet mode.

  1. Programmatically accessing results:
tracker = Brakeman.run("./my_rails_app")
warnings = tracker.warnings
critical_warnings = warnings.select { |w| w.confidence == 0 }
puts "Found #{critical_warnings.length} critical warnings"

This code shows how to access and filter scan results programmatically.

Getting Started

To use Brakeman in your Ruby on Rails project:

  1. Install Brakeman:

    gem install brakeman

  2. Run Brakeman in your Rails application directory:

    brakeman

  3. Review the generated report and address any identified vulnerabilities.

  4. Optionally, add Brakeman to your CI/CD pipeline or use it as part of your development workflow.

Competitor Comparisons

rubocop logo

rubocop

12,626

A Ruby static code analyzer and formatter, based on the community Ruby style guide.

Pros of RuboCop

  • Broader scope: Covers style, performance, and best practices
  • Highly customizable with extensive configuration options
  • Actively maintained with frequent updates and new features

Cons of RuboCop

  • Can be slower to run, especially on large codebases
  • May produce more false positives due to its broader focus
  • Steeper learning curve for configuration and customization

Code Comparison

Brakeman (security-focused):

def vulnerable_method(user_input)
  eval(user_input)  # Brakeman will flag this as a security risk
end

RuboCop (style and best practices):

def poorly_formatted_method ( x,y )
  x+y  # RuboCop will flag spacing and naming issues
end

Summary

Brakeman is a specialized security scanner for Ruby on Rails applications, focusing on identifying potential vulnerabilities. RuboCop, on the other hand, is a more comprehensive static code analyzer and formatter that covers a wide range of style, performance, and best practice issues in Ruby code. While Brakeman excels in security analysis, RuboCop offers broader code quality improvements but may require more setup and configuration.

ankane logo

pghero

8,234

A performance dashboard for Postgres

Pros of PgHero

  • Focuses on PostgreSQL performance monitoring and optimization
  • Provides a user-friendly web interface for database insights
  • Offers real-time query analysis and performance recommendations

Cons of PgHero

  • Limited to PostgreSQL databases, unlike Brakeman's broader security focus
  • Requires integration into the application, while Brakeman can be run independently
  • May have a steeper learning curve for non-database experts

Code Comparison

PgHero (database query analysis):

PgHero.long_running_queries
PgHero.index_usage
PgHero.suggested_indexes

Brakeman (security analysis):

Brakeman.run app_path: ".", output_files: ["brakeman.html"]
Brakeman.run :rails3 => true, :output_format => :pdf, :output_file => "report.pdf"

While both tools aim to improve application performance and reliability, they serve different purposes. PgHero focuses on database optimization, providing specific PostgreSQL insights and recommendations. Brakeman, on the other hand, is a security scanner for Ruby on Rails applications, identifying potential vulnerabilities in the codebase. The code examples highlight these differences, with PgHero offering database-specific methods and Brakeman providing security scan configurations.

thoughtbot logo

guides

9,468

A guide for programming in style.

Pros of guides

  • Comprehensive set of best practices and style guides for multiple languages and tools
  • Regularly updated with community input and industry trends
  • Applicable to a wide range of projects and development scenarios

Cons of guides

  • Not an automated tool; requires manual implementation and adherence
  • May not catch specific security vulnerabilities in code
  • Less focused on Ruby on Rails compared to Brakeman

Code comparison

While a direct code comparison isn't relevant due to the different nature of these projects, we can compare how they approach Ruby on Rails best practices:

guides (Ruby on Rails section):

# Use Time.zone.now instead of Time.now
Time.zone.now

# Prefer .find_by over .where(...).first
User.find_by(email: 'user@example.com')

Brakeman (example check):

def check_sql_injection(call)
  method = call.method
  args = call.args

  if sql_injection_check(method, args)
    warn :warning_type => "SQL Injection",
         :warning_code => SQL_INJECTION_WARNING_CODE,
         :message => "Possible SQL injection",
         :confidence => CONFIDENCE[:high],
         :file => call.file,
         :line => call.line
  end
end

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Brakeman Logo

Build Status Test Coverage

Brakeman

Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.

Installation

Using RubyGems:

gem install brakeman

Using Bundler:

group :development do
  gem 'brakeman', require: false
end

Using Docker:

docker pull presidentbeef/brakeman

Using Docker to build from source:

git clone https://github.com/presidentbeef/brakeman.git
cd brakeman
docker build . -t brakeman

Usage

Running locally

From a Rails application's root directory:

brakeman

Outside of Rails root:

brakeman /path/to/rails/application

Running with Docker

From a Rails application's root directory:

docker run -v "$(pwd)":/code presidentbeef/brakeman

With a little nicer color:

docker run -v "$(pwd)":/code presidentbeef/brakeman --color

For an HTML report:

docker run -v "$(pwd)":/code presidentbeef/brakeman -o brakeman_results.html

Outside of Rails root (note that the output file is relative to path/to/rails/application):

docker run -v 'path/to/rails/application':/code presidentbeef/brakeman -o brakeman_results.html

Compatibility

Brakeman should work with any version of Rails from 2.3.x to 7.x.

Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run.

Basic Options

For a full list of options, use brakeman --help or see the OPTIONS.md file.

To specify an output file for the results:

brakeman -o output_file

The output format is determined by the file extension or by using the -f option. Current options are: text, html, tabs, json, junit, markdown, csv, codeclimate, and sonar.

Multiple output files can be specified:

brakeman -o output.html -o output.json

To output to both a file and to the console, with color:

brakeman --color -o /dev/stdout -o output.json

To suppress informational warnings and just output the report:

brakeman -q

Note all Brakeman output except reports are sent to stderr, making it simple to redirect stdout to a file and just get the report.

To see all kinds of debugging information:

brakeman -d

Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):

brakeman -x DefaultRoutes

Multiple checks should be separated by a comma:

brakeman -x DefaultRoutes,Redirect

To do the opposite and only run a certain set of tests:

brakeman -t SQL,ValidationRegex

If Brakeman is running a bit slow, try

brakeman --faster

This will disable some features, but will probably be much faster (currently it is the same as --skip-libs --no-branching). WARNING: This may cause Brakeman to miss some vulnerabilities.

By default, Brakeman will return a non-zero exit code if any security warnings are found or scanning errors are encountered. To disable this:

brakeman --no-exit-on-warn --no-exit-on-error

To skip certain files or directories that Brakeman may have trouble parsing, use:

brakeman --skip-files file1,/path1/,path2/

To compare results of a scan with a previous scan, use the JSON output option and then:

brakeman --compare old_report.json

This will output JSON with two lists: one of fixed warnings and one of new warnings.

Brakeman will ignore warnings if configured to do so. By default, it looks for a configuration file in config/brakeman.ignore. To create and manage this file, use:

brakeman -I

If you want to temporarily see the warnings you ignored without affecting the exit code, use:

brakeman --show-ignored

Warning information

See warning_types for more information on the warnings reported by this tool.

Warning context

The HTML output format provides an excerpt from the original application source where a warning was triggered. Due to the processing done while looking for vulnerabilities, the source may not resemble the reported warning and reported line numbers may be slightly off. However, the context still provides a quick look into the code which raised the warning.

Confidence levels

Brakeman assigns a confidence level to each warning. This provides a rough estimate of how certain the tool is that a given warning is actually a problem. Naturally, these ratings should not be taken as absolute truth.

There are three levels of confidence:

  • High - Either this is a simple warning (boolean value) or user input is very likely being used in unsafe ways.
  • Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.
  • Weak - Typically means user input was indirectly used in a potentially unsafe manner.

To only get warnings above a given confidence level:

brakeman -w3

The -w switch takes a number from 1 to 3, with 1 being low (all warnings) and 3 being high (only highest confidence warnings).

Configuration files

Brakeman options can be stored and read from YAML files.

To simplify the process of writing a configuration file, the -C option will output the currently set options:

$ brakeman -C --skip-files plugins/
---
:skip_files:
- plugins/

Options passed in on the commandline have priority over configuration files.

The default config locations are ./config/brakeman.yml, ~/.brakeman/config.yml, and /etc/brakeman/config.yml

The -c option can be used to specify a configuration file to use.

Continuous Integration

There is a plugin available for Jenkins/Hudson.

For even more continuous testing, try the Guard plugin.

There are a couple GitHub Actions available.

Building

git clone git://github.com/presidentbeef/brakeman.git
cd brakeman
gem build brakeman.gemspec
gem install brakeman*.gem

Who is Using Brakeman?

..and more!

Homepage/News

Website: http://brakemanscanner.org/

Twitter: https://twitter.com/brakeman

Chat: https://gitter.im/presidentbeef/brakeman

License

Brakeman is free for non-commercial use.

See COPYING for details.