Rails Kitchen

It's a place to write on stuff I learned recently.

Ruby on Rails Applications Security Vulnerability Checking Tool - Brakeman

| Comments

Rails is one of the best frameworks to build websites, it solved a lot of security issues by default, like SQL injection and Cross-Site Scripting. Still there are lots of chances to have security vulnerabilities in our application.

Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities. Unlike many web security scanners, Brakeman looks at the source code of your application. This means you do not need to set up your whole application stack to use it. Once Brakeman scans the application code, it produces a report of all security issues it has found. Brakeman requires zero setups or configuration once it is installed, what you have to do is to just run it.
We can also integrate brakeman with Jenkins by adding Brakeman plugin. For continuous testing, We can use Guard::Brakeman, which allows you to automatically run Brakeman tests when files are modified.

Installation
Using RubyGems:
1
gem install brakeman
Using Bundler, add to development group in Gemfile and set to not be required automatically:
1
2
3
group :development do
 gem 'brakeman', :require => false
end
Running Brakeman
The simplest way to get started with Brakeman is to just run it with no options in the root directory of your Rails application:
1
2
cd your_rails_app/
brakeman
This will scan the application in the current directory and output a report to the command line.

Alternatively, you can supply a path as an option to Brakeman:
1
brakeman your_rails_app
To specify an output file for the results:
1
brakeman -o output_file
The output format is determined by the file extension or by using the -f option. Current options are: text, html, tabs, json, markdown, and csv.

Multiple output files can be specified:
1
brakeman -o output.html -o output.json
Example result : For more options and documentation, visit official site :

Comments