brakeman

Brakeman is a security scanning tool for Ruby on Rails applications. Ruby on Rails is a popular web framework used to build web apps quickly, and Brakeman checks the code in a Rails project for common security problems without running the app. This kind of checking is called static analysis because it reads the code rather than executing it.

Running Brakeman is straightforward: install it once, then point it at a Rails project folder and it scans the code and produces a report. Reports can be saved in many formats including plain text, HTML, JSON, CSV, and Markdown, making it easy to fit into different workflows. Multiple output files can be generated in one run, and the tool can be run inside Docker if no local installation is preferred.

Each warning Brakeman produces comes with a confidence level: High means the problem is very likely real, Medium means a variable is used in a potentially unsafe way but it is unclear whether user input can reach it, and Weak means user input is involved only indirectly. Developers can filter warnings by confidence level to focus on the most certain problems first. Specific checks can also be skipped or selectively run, which is useful when a particular warning type does not apply to a project.

Brakeman can compare a current scan against a previous JSON report to show which warnings are new and which have been fixed. It reads configuration from YAML files so teams can store their preferred settings in version control. Integration with continuous integration systems is supported through a Jenkins plugin, a Guard plugin for automated re-scanning on file changes, and several GitHub Actions available in the marketplace.

Notable organizations that use Brakeman include GitHub, Twitter, New Relic, Groupon, and Code Climate. The tool is free for non-commercial use. It supports Rails versions from 2.3 through 8.x and requires at least Ruby 3.2 to run.