🔗 Parent Note
How to use
Run the brakeman
According to Brakeman repository, run following command on the root directory of the app.
bundle exec brakeman
- 📚 Brakeman: Options
Result
You might get the result like this. Sometimes, the result is so long, so that you can search the new alert by using "new": [
keyword.
{
"new": [
{
"warning_type": "File Access",
"warning_code": 16,
"fingerprint": "xxx",
"check_name": "SendFile",
"message": "Parameter value used in file name",
"file": "app/controllers/download_controller.rb",
"line": xx,
"link": "https://brakemanscanner.org/docs/warning_types/file_access/",
"code": "send_file(params[:file_name])",
"render_path": null,
"location": {
"type": "method",
"class": "DownloadController",
"method": "file_download"
},
"user_input": "params[:file_name]",
"confidence": "Weak"
},
specific files
bundle exec brakeman --only-files path/to/file/,path/to2/ --compare ./brakeman-result.json | grep '"new": ' -A25
Run on CI server
bundle exec brakeman -z ./
-
-z
: return 0 as the exit code. Breakman returns non-0 code as default if it detects any security warnings. This option helps CI.
Compare with last one
bundle exec brakeman ./ --compare ./ci/brakeman-scan-result.json
In the Case of FalsePositive
Write it to ignore file.
bundle exec brakeman -I ./
Breakman will ask you if it detects any warning, then I think the option n
is good. n means Add warning to ignore list and add note
. Note is a comment.
-
-I
:--interactive-ignore
. (explain at the FalsePositive)
Top comments (0)