Skip to content
This repository has been archived by the owner on Mar 29, 2019. It is now read-only.
Justin edited this page Apr 19, 2015 · 19 revisions

Brakeman is a static analysis tool for finding security vulnerabilities in Rails applications. Point it at the root directory of your Rails application code and it will generate a report listing any potential vulnerabilities it has found.

Advantages

Unlike typical website vulnerability scanners, such as SkipFish, WebInspect, Burp Suite, etc., brakeman scans your source code for vulnerabilities. This means security testing can begin at any stage of development. There is no need for deployment or setting up the full web stack. In fact, your code does not even need to be fully functional.

Because brakeman does not rely on following links on your website, it can perform a more thorough scan of your application. It is also possible to find vulnerabilities before they are actually exploitable from the live website.

Brakeman can also check your Rails application for specific global settings or best practices.

Each check is performed independently, so it is possible to run only a specific check or a subset of all available checks. Adding checks is also fairly simple, depending on what information the check requires.

Brakeman Users

Are you using Brakeman? Want to know who is? Check out this page to view or add your company to the list of those who have adopted Brakeman.

Brakeman as a Service

We also have a list of "Brakeman as a Service" providers.

Tools

List of tools with Brakeman integration or plugins.

Reporting Problems

Please report any problems you have when using Brakeman!

For more information about reporting an issue with Brakeman or submitting a pull request, please read this page.

Future Brakeman

See the Roadmap for planned features/fixes.

More Information

The main Brakeman site has much more information about using Brakeman.

Check out these videos for a nice introduction.