Clone this wiki locally
Brakeman is a static analysis tool for finding security vulnerabilities in Rails applications. Point it at the root directory of your Rails application code and it will generate a report listing any potential vulnerabilities it has found.
Unlike typical website vulnerability scanners, such as SkipFish, WebInspect, Burp Suite, etc., brakeman scans your source code for vulnerabilities. This means security testing can begin at any stage of development. There is no need for deployment or setting up the full web stack. In fact, your code does not even need to be fully functional.
Because brakeman does not rely on following links on your website, it can perform a more thorough scan of your application. It is also possible to find vulnerabilities before they are actually exploitable from the live website.
Brakeman can also check your Rails application for specific global settings or best practices.
Each check is performed independently, so it is possible to run only a specific check or a subset of all available checks. Adding checks is also fairly simple, depending on what information the check requires.
Are you using Brakeman? Want to know who is? Check out this page to view or add your company to the list of those who have adopted Brakeman.
Brakeman as a Service
We also have a list of "Brakeman as a Service" providers.
List of tools with Brakeman integration or plugins.
Please report any problems you have when using Brakeman!
For more information about reporting an issue with Brakeman or submitting a pull request, please read this page.
See the Roadmap for planned features/fixes.
The main Brakeman site has much more information about using Brakeman.
Check out these videos for a nice introduction.