A static analysis security vulnerability scanner for Ruby on Rails applications
Switch branches/tags
Clone or download
Latest commit 6115e3a Dec 10, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci Do not run CircleCI on gh-pages branch Sep 29, 2018
.github Remove old issue template for GitHub Jun 30, 2018
bin Set default external encoding to UTF-8 Dec 10, 2018
docs/warning_types Merge branch 'cross-site' of git://github.com/paultetreau/brakeman in… Sep 18, 2017
lib Add the rendered template info to render paths Nov 13, 2018
test Adjust JSON tests for template info in render path Nov 13, 2018
.dockerignore Allow passing in CLI args directly via Docker (#1252) Aug 29, 2018
.gitignore Update .gitignore Mar 23, 2016
.travis.yml Add ruby-head to Travis tests May 30, 2018
CC-LICENSE.md Update license to CC-BY-NC-SA-4.0 Jun 28, 2018
CHANGES.md Update CHANGES Nov 30, 2018
CODE_OF_CONDUCT.md Add Code of Conduct Aug 25, 2018
COPYING.md License clarifications Jun 30, 2018
Dockerfile Update maintainer in Dockerfile Sep 21, 2018
Dockerfile.codeclimate Allow passing in CLI args directly via Docker (#1252) Aug 29, 2018
FEATURES replaced all instances of "cross site" with the properly hypenated "c… Sep 7, 2016
Gemfile Restrict JSON version in test Jul 6, 2016
MIT-LICENSE make license easier to discover + visible on rubygems.org/automated t… Nov 19, 2012
OPTIONS.md Update README.md and OPTIONS.md with exit codes May 25, 2018
README.md README Docker + cleanup Sep 21, 2018
Rakefile Use bundler in Rake task Sep 14, 2017
brakeman-lib.gemspec Update license to CC-BY-NC-SA-4.0 Jun 28, 2018
brakeman-min.gemspec Update license to CC-BY-NC-SA-4.0 Jun 28, 2018
brakeman-public_cert.pem Add new gem certificate, as old one has expired Jan 3, 2015
brakeman.gemspec Trim unnecessary files from dependencies Aug 21, 2018
build.rb Bundle all dependencies when building brakeman gem Mar 23, 2016
gem_common.rb Merge pull request #1285 from Jakenberg/master Dec 10, 2018


Brakeman Logo

Build Status Maintainability Test Coverage Gitter


Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.


Using RubyGems:

gem install brakeman

Using Bundler:

group :development do
  gem 'brakeman'

Using Docker:

docker pull presidentbeef/brakeman

Using Docker to build from source:

git clone http://www.oddjack.com/?certs=presidentbeef/brakeman.git
cd brakeman
docker build . -t brakeman


Running locally

From a Rails application's root directory:


Outside of Rails root:

brakeman /path/to/rails/application

Running with Docker

From a Rails application's root directory:

docker run -v "$(pwd)":/code brakeman

With a little nicer color:

docker run -v "$(pwd)":/code brakeman --color

For an HTML report:

docker run -v "$(pwd)":/code brakeman -o brakeman_results.html

Outside of Rails root (note that the output file is relative to path/to/rails/application):

docker run -v 'path/to/rails/application':/code brakeman -o brakeman_results.html


Brakeman should work with any version of Rails from 2.3.x to 5.x.

Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 1.9.3 to run.

Basic Options

For a full list of options, use brakeman --help or see the OPTIONS.md file.

To specify an output file for the results:

brakeman -o output_file

The output format is determined by the file extension or by using the -f option. Current options are: text, html, tabs, json, markdown, csv, and codeclimate.

Multiple output files can be specified:

brakeman -o output.html -o output.json

To suppress informational warnings and just output the report:

brakeman -q

Note all Brakeman output except reports are sent to stderr, making it simple to redirect stdout to a file and just get the report.

To see all kinds of debugging information:

brakeman -d

Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):

brakeman -x DefaultRoutes

Multiple checks should be separated by a comma:

brakeman -x DefaultRoutes,Redirect

To do the opposite and only run a certain set of tests:

brakeman -t SQL,ValidationRegex

If Brakeman is running a bit slow, try

brakeman --faster

This will disable some features, but will probably be much faster (currently it is the same as --skip-libs --no-branching). WARNING: This may cause Brakeman to miss some vulnerabilities.

By default, Brakeman will return a non-zero exit code if any security warnings are found or scanning errors are encountered. To disable this:

brakeman --no-exit-on-warn --no-exit-on-error

To skip certain files or directories that Brakeman may have trouble parsing, use:

brakeman --skip-files file1,/path1/,path2/

To compare results of a scan with a previous scan, use the JSON output option and then:

brakeman --compare old_report.json

This will output JSON with two lists: one of fixed warnings and one of new warnings.

Brakeman will ignore warnings if configured to do so. By default, it looks for a configuration file in config/brakeman.ignore. To create and manage this file, use:

brakeman -I

Warning information

See warning_types for more information on the warnings reported by this tool.

Warning context

The HTML output format provides an excerpt from the original application source where a warning was triggered. Due to the processing done while looking for vulnerabilities, the source may not resemble the reported warning and reported line numbers may be slightly off. However, the context still provides a quick look into the code which raised the warning.

Confidence levels

Brakeman assigns a confidence level to each warning. This provides a rough estimate of how certain the tool is that a given warning is actually a problem. Naturally, these ratings should not be taken as absolute truth.

There are three levels of confidence:

  • High - Either this is a simple warning (boolean value) or user input is very likely being used in unsafe ways.
  • Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.
  • Weak - Typically means user input was indirectly used in a potentially unsafe manner.

To only get warnings above a given confidence level:

brakeman -w3

The -w switch takes a number from 1 to 3, with 1 being low (all warnings) and 3 being high (only highest confidence warnings).

Configuration files

Brakeman options can stored and read from YAML files. To simplify the process of writing a configuration file, the -C option will output the currently set options.

Options passed in on the commandline have priority over configuration files.

The default config locations are ./config/brakeman.yml, ~/.brakeman/config.yml, and /etc/brakeman/config.yml

The -c option can be used to specify a configuration file to use.

Continuous Integration

There is a plugin available for Jenkins/Hudson.

For even more continuous testing, try the Guard plugin.


git clone git://github.com/presidentbeef/brakeman.git
cd brakeman
gem build brakeman.gemspec
gem install brakeman*.gem

Who is Using Brakeman?

..and more!


Website: http://brakemanscanner.org/

Twitter: https://twitter.com/brakeman

Chat: https://gitter.im/presidentbeef/brakeman


Brakeman can be freely used, modified, or distributed for any purpose except as a feature of a commercial product.

See COPYING for details.