Brakeman is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
Check out Brakeman Pro if you are looking for a commercially-supported version with a GUI and advanced features.
Brakeman alternatives and similar gems
Based on the "Security" category.
Alternatively, view Brakeman alternatives based on common mentions on social networks and blogs.
Metasploit10.0 10.0 L1 Brakeman VS MetasploitMetasploit Framework
BeEF9.7 8.1 Brakeman VS BeEFThe Browser Exploitation Framework Project
Gitrob9.3 0.0 L5 Brakeman VS GitrobReconnaissance tool for GitHub organizations
Rack::Attack9.1 2.5 L5 Brakeman VS Rack::AttackRack middleware for blocking & throttling
SecureHeaders8.6 6.9 Brakeman VS SecureHeadersManages application of security headers with many safe defaults
bundler-audit8.0 6.9 L5 Brakeman VS bundler-auditPatch-level verification for Bundler
RbNaCl5.9 2.8 L5 Brakeman VS RbNaClRuby FFI binding to the Networking and Cryptography (NaCl) library (a.k.a. libsodium)
Hashids5.7 0.0 L5 Brakeman VS HashidsA small Ruby gem to generate YouTube-like hashes from one or many numbers. Use hashids when you do not want to expose your database ids to the user.
Rack::Protection5.5 0.0 Brakeman VS Rack::ProtectionNOTE: This project has been merged upstream to sinatra/sinatra
Ronin4.7 10.0 Brakeman VS RoninRonin is a free and Open Source Ruby toolkit for security research and development. Ronin also allows for the rapid development and distribution of code, exploits, payloads, etc, via 3rd party git repositories.
Rack::UTF8Sanitizer3.7 0.0 Brakeman VS Rack::UTF8SanitizerRack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters in request URI and headers.
Clamby2.3 0.0 Brakeman VS ClambyClamAV interface to your Ruby on Rails project.
ronin-exploits1.9 10.0 Brakeman VS ronin-exploitsA Ruby micro-framework for writing and running exploits
SiRP1.4 0.0 L5 Brakeman VS SiRPSecure (interoperable) Remote Password Auth (SRP-6a)
ronin-vulns1.3 10.0 Brakeman VS ronin-vulnsTests URLs for Local File Inclusion (LFI), Remote File Inclusion (RFI), SQL injection (SQLi), and Cross Site Scripting (XSS), Server Side Template Injection (SSTI), and Open Redirects.
TSS - Threshold Secret Sharing1.1 0.0 L5 Brakeman VS TSS - Threshold Secret SharingA Ruby implementation of Threshold Secret Sharing (Shamir) as defined in IETF Internet-Draft draft-mcgrew-tss-03.txt
Active Entry0.7 0.0 Brakeman VS Active EntryA flexible access control system for your Rails app
Rack::JsonWebTokenAuth0.5 0.0 L5 Brakeman VS Rack::JsonWebTokenAuthRack middleware for authentication using JSON Web Tokens (JWT)
sessionKeys0.3 0.0 L5 Brakeman VS sessionKeysA tool for the deterministic generation of unique user IDs, and NaCl cryptographic keys from a single username and high entropy passphrase.
Rack::ContentSecurityPolicy0.3 0.0 L5 Brakeman VS Rack::ContentSecurityPolicyRack middleware for declaratively setting the HTTP ContentSecurityPolicy (W3C CSP Level 2/3) security header to help prevent against XSS and other browser based attacks.
Access the most powerful time series database as a service
* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest.
Do you think we are missing an alternative of Brakeman or a related project?
Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
gem install brakeman
group :development do gem 'brakeman' end
docker pull presidentbeef/brakeman
Using Docker to build from source:
git clone https://github.com/presidentbeef/brakeman.git cd brakeman docker build . -t brakeman
From a Rails application's root directory:
Outside of Rails root:
Running with Docker
From a Rails application's root directory:
docker run -v "$(pwd)":/code presidentbeef/brakeman
With a little nicer color:
docker run -v "$(pwd)":/code presidentbeef/brakeman --color
For an HTML report:
docker run -v "$(pwd)":/code presidentbeef/brakeman -o brakeman_results.html
Outside of Rails root (note that the output file is relative to path/to/rails/application):
docker run -v 'path/to/rails/application':/code presidentbeef/brakeman -o brakeman_results.html
Brakeman should work with any version of Rails from 2.3.x to 6.x.
Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.4.0 to run.
For a full list of options, use
brakeman --help or see the [OPTIONS.md](OPTIONS.md) file.
To specify an output file for the results:
brakeman -o output_file
The output format is determined by the file extension or by using the
-f option. Current options are:
Multiple output files can be specified:
brakeman -o output.html -o output.json
To output to both a file and to the console, with color:
brakeman --color -o /dev/stdout -o output.json
To suppress informational warnings and just output the report:
Note all Brakeman output except reports are sent to stderr, making it simple to redirect stdout to a file and just get the report.
To see all kinds of debugging information:
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (
brakeman -x DefaultRoutes
Multiple checks should be separated by a comma:
brakeman -x DefaultRoutes,Redirect
To do the opposite and only run a certain set of tests:
brakeman -t SQL,ValidationRegex
If Brakeman is running a bit slow, try
This will disable some features, but will probably be much faster (currently it is the same as
--skip-libs --no-branching). WARNING: This may cause Brakeman to miss some vulnerabilities.
By default, Brakeman will return a non-zero exit code if any security warnings are found or scanning errors are encountered. To disable this:
brakeman --no-exit-on-warn --no-exit-on-error
To skip certain files or directories that Brakeman may have trouble parsing, use:
brakeman --skip-files file1,/path1/,path2/
To compare results of a scan with a previous scan, use the JSON output option and then:
brakeman --compare old_report.json
This will output JSON with two lists: one of fixed warnings and one of new warnings.
Brakeman will ignore warnings if configured to do so. By default, it looks for a configuration file in
To create and manage this file, use:
See [warning_types](docs/warning_types) for more information on the warnings reported by this tool.
The HTML output format provides an excerpt from the original application source where a warning was triggered. Due to the processing done while looking for vulnerabilities, the source may not resemble the reported warning and reported line numbers may be slightly off. However, the context still provides a quick look into the code which raised the warning.
Brakeman assigns a confidence level to each warning. This provides a rough estimate of how certain the tool is that a given warning is actually a problem. Naturally, these ratings should not be taken as absolute truth.
There are three levels of confidence:
- High - Either this is a simple warning (boolean value) or user input is very likely being used in unsafe ways.
- Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.
- Weak - Typically means user input was indirectly used in a potentially unsafe manner.
To only get warnings above a given confidence level:
-w switch takes a number from 1 to 3, with 1 being low (all warnings) and 3 being high (only highest confidence warnings).
Brakeman options can be stored and read from YAML files.
To simplify the process of writing a configuration file, the
-C option will output the currently set options:
$ brakeman -C --skip-files plugins/ --- :skip_files: - plugins/
Options passed in on the commandline have priority over configuration files.
The default config locations are
-c option can be used to specify a configuration file to use.
There is a plugin available for Jenkins/Hudson.
For even more continuous testing, try the Guard plugin.
There are a couple Github Actions available.
git clone git://github.com/presidentbeef/brakeman.git cd brakeman gem build brakeman.gemspec gem install brakeman*.gem
Who is Using Brakeman?
Brakeman is free for non-commercial use.
See [COPYING](COPYING.md) for details.
*Note that all licence references and agreements mentioned in the Brakeman README section above are relevant to that project's source code only.