Brakeman 1.0 has been released!
What is is
Brakeman provides vulnerability checks for Rails applications by
scanning the source code. No deployment or application stack required.
Brakeman searches for:
- Cross Site Scripting
- SQL Injection
- Command Injection
- Mass Assignment
- Cross-Site Request Forgery
- Unprotected Redirects
- Default Routes
- Insufficient Format Validation
- Dynamic Render Paths
- Dangerous Evaluation
- File Access
- Unsafe Session Settings
- Version-specific Rails vulnerabilities
- …and more!
How to use it
gem install brakeman
brakeman your_app_path
Changes since 0.9.2
- Better handling of assignments inside ifs
- Check more expressions for SQL injection
- Use latest ruby_parser for better 1.9 syntax support
- Better behavior for Brakeman as a library
- Brakeman can now be used as a library
- Faster call search
- Add option to return error code if warnings are found (tw-ngreen)
- Allow truncated messages to be expanded in HTML
- Keep expanded context in view in HTML output
- Fix summary when using warning thresholds
- Better support for Rails 3 routes
- Reduce SQL injection duplicate warnings
- Lower confidence on mass assignment with no user input
- Ignore mass assignment using all literal arguments