DEV Community


Posted on • Updated on

static security analysis for Rails app by using Breakman

πŸ”— Parent Note

How to use

Run the brakeman

According to Brakeman repository, run following command on the root directory of the app.

bundle exec brakeman


You might get the result like this. Sometimes, the result is so long, so that you can search the new alert by using "new": [ keyword.

  "new": [
      "warning_type": "File Access",
      "warning_code": 16,
      "fingerprint": "xxx",
      "check_name": "SendFile",
      "message": "Parameter value used in file name",
      "file": "app/controllers/download_controller.rb",
      "line": xx,
      "link": "",
      "code": "send_file(params[:file_name])",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "DownloadController",
        "method": "file_download"
      "user_input": "params[:file_name]",
      "confidence": "Weak"

specific files

bundle exec brakeman --only-files path/to/file/,path/to2/ --compare ./brakeman-result.json | grep '"new": ' -A25

Run on CI server

bundle exec brakeman -z ./
  • -z: return 0 as the exit code. Breakman returns non-0 code as default if it detects any security warnings. This option helps CI.

Compare with last one

bundle exec brakeman ./ --compare ./ci/brakeman-scan-result.json

In the Case of FalsePositive

Write it to ignore file.

bundle exec brakeman -I ./

Breakman will ask you if it detects any warning, then I think the option n is good. n means Add warning to ignore list and add note. Note is a comment.

  • -I: --interactive-ignore. (explain at the FalsePositive)

πŸ“š Brakeman: Ignoring False Positives

Top comments (0)