Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
Patterns to include in reports.
Note: The input patterns are not applied when running Brakeman since Brakeman does “whole program” analysis and filtering the input files affects how Brakeman detects issues. Therefore, the files excluded by the patterns are always processed and you may even see logs related to the excluded files in the job console. However, Inspecode eventually ignores any issues detected on the excluded files when generating job reports.
If you need to let Brakeman skip particular files, consider specifying
Patterns to exclude from reports.
Note: Just like
input:, the ignore patterns are not applied when running Brakeman.
Amount of CPU. The default machine has
0.25 CPU with
960 MiB RAM.
Below is the list of options that are supported:
-n, --no-threads Run checks sequentially -p, --path PATH Specify path to Rails application -3, --rails3 Force Rails 3 mode -4, --rails4 Force Rails 4 mode -5, --rails5 Force Rails 5 mode Scanning options: -A, --run-all-checks Run all default and optional checks -a, --[no-]assume-routes Assume all controller methods are actions (default) -e, --escape-html Escape HTML by default --faster Faster, but less accurate scan --ignore-model-output Consider model attributes XSS-safe --ignore-protected Consider models with attr_protected safe --[no-]index-libs Add libraries to call index (default) --interprocedural Process method calls to known methods --no-branching Disable flow sensitivity on conditionals --branch-limit LIMIT Limit depth of values in branches (-1 for no limit) -r, --report-direct Only report direct use of untrusted data -s meth1,meth2,etc, Set methods as safe for unescaped output in views --safe-methods --url-safe-methods method1,method2,etc Do not warn of XSS if the link_to href parameter is wrapped in a safe method --skip-files file1,path2,etc Skip processing of these files/directories. Directories are application relative and must end in "/" --only-files file1,path2,etc Process only these files/directories. Directories are application relative and must end in "/" --skip-libs Skip processing lib directory --add-libs-path path1,path2,etc An application relative lib directory (ex. app/mailers) to process -t, --test Check1,Check2,etc Only run the specified checks -x, --except Check1,Check2,etc Skip the specified checks Output options: -i, --ignore-config IGNOREFILE Use configuration to ignore warnings -w, --confidence-level LEVEL Set minimal confidence level (1 - 3) Configuration files: -c, --config-file FILE Use specified configuration file --force-scan Scan application even if rails is not detected
Note: The incremental analysis cannot be supported for Brakeman due to its “whole program” analysis behavior as also mentioned above in
With default options:
inspecode: brakeman: default
With custom machine:
inspecode: brakeman: machine: cpu: 1.5 # 1.5 CPU, 5760 MiB RAM
With custom options:
inspecode: brakeman: options: [--rails3, --escape-html]
With a configuration file:
inspecode: brakeman: config-file: ./config/brakeman.yml
The above configuration is equivalent to:
inspecode: brakeman: options: --config-file: ./config/brakeman.yml
Inspecode tries to detect Rails applications in your repository and runs brakeman at the root of each Rails application if detected. Otherwise if no Rails applications are detected in your repository, Inspecode runs brakeman at the root of your repository.
Note: Inspecode assumes a Rails application has the following layout:
<rails app>/ |-- app/ |-- config/ |-- public/ |-- Rakefile |-X *.gemspec (should not be a gem) |-- ... (other files and directories)
If no configuration files are specified via
options field, Inspecode first lets Brakeman to find configuration files in your repository.
See https://github.com/presidentbeef/brakeman#basic-options about how Brakeman looks for configuration files.
In addition, if Brakeman cannot find any configuration files, Inspecode also walks the file tree in lexical order in your repository to find a configuration file, named
.brakeman/config.yml, and specifies the file first found to Brakeman automatically via
Note: Inspecode ignores specific configuration files while searching. See Configuration > Tool Configuration > Field:
If the configuration file detected by Inspecode is not the one you want to use or you do not want to use any configuration files, you can disable Inspecode from detecting configuration files by explicitly setting an empty string to
config-file field like below:
inspecode: brakeman: config-file: ""