How to use Brakeman to check your Rails application for vulnerabilities

May 09, 2020

Brakeman is a static analysis tool that checks for vulnerabilities in Rails applications.

Install Brakeman

title=Gemfile
group :development do
  gem 'brakeman', require: false
end
bundle install

※ To use with docker, see here.

How to use

Execute the following command in the root directory of the project. The results will be printed to standard output.

bundle exec brakeman

You can also use the -o option to output the results to a file.

bundle exec brakeman - o output.html
open ./output.html

To skip a specific directory or file, do the following

bundle exec brakeman --skip-files file1, /path1/, path2/

The -I option can be used to create configuration files interactively.

bundle exec brakeman -I

Working with overcommit

By linking Brakeman with overcommit, you can make sure that you don't forget to check Brakeman. If you haven't installed overcommit, please refer to How to install Git Hooks (overcommit) so that you don't forget to run rubocop to install it.

Add the following setting to .overcommit.yml. This will prevent you from committing if there is a warning in Brakeman.

.overcommit.yml
PreCommit:
  Brakeman:
    enabled: true
    description: 'Check for security vulnerabilities'
    command: ['bundle', 'exec', 'brakeman']