[ANN] Brakeman 1.0 Released: Static analysis security scanning for Rails apps

Brakeman 1.0 has been released!


What is is

Brakeman provides vulnerability checks for Rails applications by
scanning the source code. No deployment or application stack required.

Brakeman searches for:

  • Cross Site Scripting
  • SQL Injection
  • Command Injection
  • Mass Assignment
  • Cross-Site Request Forgery
  • Unprotected Redirects
  • Default Routes
  • Insufficient Format Validation
  • Dynamic Render Paths
  • Dangerous Evaluation
  • File Access
  • Unsafe Session Settings
  • Version-specific Rails vulnerabilities
  • …and more!

How to use it

gem install brakeman

brakeman your_app_path

Changes since 0.9.2

  • Better handling of assignments inside ifs
  • Check more expressions for SQL injection
  • Use latest ruby_parser for better 1.9 syntax support
  • Better behavior for Brakeman as a library
  • Brakeman can now be used as a library
  • Faster call search
  • Add option to return error code if warnings are found (tw-ngreen)
  • Allow truncated messages to be expanded in HTML
  • Keep expanded context in view in HTML output
  • Fix summary when using warning thresholds
  • Better support for Rails 3 routes
  • Reduce SQL injection duplicate warnings
  • Lower confidence on mass assignment with no user input
  • Ignore mass assignment using all literal arguments