Skip to content
presidentbeef edited this page Feb 10, 2012 · 19 revisions

Brakeman is a static analysis tool for finding security vulnerabilities in Rails applications. Point it at the root directory of your Rails application code and it will generate a report listing any potential vulnerabilities it has found.

Advantages

Unlike typical website vulnerability scanners, such as SkipFish, WebInspect, Burp Suite, etc., brakeman scans your source code for vulnerabilities. This means security testing can begin at any stage of development. There is no need for deployment or setting up the full web stack. In fact, your code does not even need to be fully functional.

Because brakeman does not rely on following links on your website, it can perform a more thorough scan of your application. It is also possible to find vulnerabilities before they are actually exploitable from the live website.

Brakeman can also check your Rails application for specific global settings or best practices.

Each check is performed independently, so it is possible to run only a specific check or a subset of all available checks. Adding checks is also fairly simple, depending on what information the check requires.

More Information

The main Brakeman site has much more information about using Brakeman.

Check out these videos for a nice introduction.