Skip to content


Justin edited this page Jun 5, 2017 · 63 revisions

This is a tentative roadmap/TODO list for Brakeman. Note that these are deadline versions, not necessarily the version the feature/fix will appear in. Items in italics have been merged into master.




Bug fixes/CVEs only!


Bug fixes/CVEs only!


  • Standardize default config file location
  • Relative paths by default for JSON
  • Remove timestamp from JSON output
  • Combine YAML/Marshal/CSV load checks into single check
  • Change "Cross-Site Request Forgery" to "Cross Site Request Forgery"
  • Normalize SQL CVE warning messages to be less verbose
  • Normalize warning messages in general
  • Move test/tests/test_* to test/tests/*
  • Bump confidence on mass assignment with attr_protected to medium
  • Fix false positive reports of Model#id and to_json


  • Allow --compare and -o/-f together for nicer diff reports
  • Split into two packages, brakeman + brakeman-min
  • Add Tracker#warnings instead of Tracker#checks.all_warnings
  • Fix how mixin methods are handled - need to be duped


  • Scan all versions in Gemfile.lock instead of special cases


  • CVEs only


  • Bugfixes/Internal improvements only


  • Reorganize CVE checks
  • Support before_action for Rails 4
  • Support latest RailsLTS


  • False positive configuration
  • Get rid of Tracker#check_initializers and FindCall
  • Scan helpers and make them available in views for inter-procedural analysis


  • Add libs to call index
  • Add ability to have optional checks not enabled by default
  • Make --separate-models the default
  • In BaseCheck, only set @has_user_input once (i.e. ||=) to match first not last (maybe)
  • Make CheckSymbolDoS an optional check
  • Find a way to update ruby_parser and offset wrong line numbers
  • Do not format local variables as "local var"
  • Add warnings for rendering text, inline
  • File disclosure CVEs check


  • Refactor XSS checks to have easier shared code


  • Switch to -f plain for default report
  • Something like --report-direct by default?
  • -z by default

Some Day

  • Add remediation steps to warnings when created
  • Add number_with_delimiter, etc, to known bad, but have to check for :raise => true
  • Better highlighting of user input in HTML output
  • Add rel="noreferrer" to HTML report links
  • Prettier HTML output
  • Rescue divide by zero errors (and turn into warnings...?)
You can’t perform that action at this time.