Brakeman

Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.

Version

4.4.0

Runtime

Ruby Versions

Supported Languages

Ruby

Official Documentation

http://brakemanscanner.org/

YAML Configuration

brakeman:

  • input:

    Patterns to include in reports.

    Note: The input patterns are not applied when running Brakeman since Brakeman does “whole program” analysis and filtering the input files affects how Brakeman detects issues. Therefore, the files excluded by the patterns are always processed and you may even see logs related to the excluded files in the job console. However, Inspecode eventually ignores any issues detected on the excluded files when generating job reports.

    If you need to let Brakeman skip particular files, consider specifying --skip-files or --only-files under options: instead.

  • ignore:

    Patterns to exclude from reports.

    Note: Just like input:, the ignore patterns are not applied when running Brakeman.

  • auto-fix:

    N/A

  • config-file:

    Alias of --config-file option.

  • machine:

    • cpu:

      Amount of CPU. The default machine has 0.25 CPU with 960 MiB RAM.

  • options:

    Below is the list of options that are supported:

        -n, --no-threads                 Run checks sequentially
        -p, --path PATH                  Specify path to Rails application
        -3, --rails3                     Force Rails 3 mode
        -4, --rails4                     Force Rails 4 mode
        -5, --rails5                     Force Rails 5 mode
    
    Scanning options:
        -A, --run-all-checks             Run all default and optional checks
        -a, --[no-]assume-routes         Assume all controller methods are actions (default)
        -e, --escape-html                Escape HTML by default
            --faster                     Faster, but less accurate scan
            --ignore-model-output        Consider model attributes XSS-safe
            --ignore-protected           Consider models with attr_protected safe
            --[no-]index-libs            Add libraries to call index (default)
            --interprocedural            Process method calls to known methods
            --no-branching               Disable flow sensitivity on conditionals
            --branch-limit LIMIT         Limit depth of values in branches (-1 for no limit)
        -r, --report-direct              Only report direct use of untrusted data
        -s meth1,meth2,etc,              Set methods as safe for unescaped output in views
            --safe-methods
            --url-safe-methods method1,method2,etc
                                         Do not warn of XSS if the link_to href parameter is wrapped in a safe method
            --skip-files file1,path2,etc Skip processing of these files/directories. Directories are application relative and must end in "/"
            --only-files file1,path2,etc Process only these files/directories. Directories are application relative and must end in "/"
            --skip-libs                  Skip processing lib directory
            --add-libs-path path1,path2,etc
                                         An application relative lib directory (ex. app/mailers) to process
        -t, --test Check1,Check2,etc     Only run the specified checks
        -E, --enable Check1,Check2,etc   Enable the specified checks
        -x, --except Check1,Check2,etc   Skip the specified checks
    
    Output options:
        -i, --ignore-config IGNOREFILE   Use configuration to ignore warnings
        -w, --confidence-level LEVEL     Set minimal confidence level (1 - 3)
    
    Configuration files:
        -c, --config-file FILE           Use specified configuration file
    
            --force-scan                 Scan application even if rails is not detected
    
  • thresholds:

    • num-issues:

      No tool specific severity levels are available.

  • experimental:

    • incremental:

      N/A

      Note: The incremental analysis cannot be supported for Brakeman due to its “whole program” analysis behavior as also mentioned above in input:.

YAML Examples

  • With default options:

    inspecode:
      brakeman: default
    
  • With custom machine:

    inspecode:
      brakeman:
        machine:
          cpu: 1.5 # 1.5 CPU, 5760 MiB RAM
    
  • With custom options:

    inspecode:
      brakeman:
        options: [--rails3, --escape-html]
    
  • With a configuration file:

    inspecode:
      brakeman:
        config-file: ./config/brakeman.yml
    

    The above configuration is equivalent to:

    inspecode:
      brakeman:
        options:
          --config-file: ./config/brakeman.yml
    

Rails Application Detection

Inspecode tries to detect Rails applications in your repository and runs brakeman at the root of each Rails application if detected. Otherwise if no Rails applications are detected in your repository, Inspecode runs brakeman at the root of your repository.

Note: Inspecode assumes a Rails application has the following layout:

<rails app>/
|-- app/
|-- config/
|-- public/
|-- Rakefile
|-X *.gemspec (should not be a gem)
|-- ... (other files and directories)

Configuration File Detection

If no configuration files are specified via config-file or options field, Inspecode first lets Brakeman to find configuration files in your repository. See https://github.com/presidentbeef/brakeman#basic-options about how Brakeman looks for configuration files.

In addition, if Brakeman cannot find any configuration files, Inspecode also walks the file tree in lexical order in your repository to find a configuration file, named brakeman.yml, brakeman/config.yml or .brakeman/config.yml, and specifies the file first found to Brakeman automatically via --config-file option.

Note: Inspecode ignores specific configuration files while searching. See Configuration > Tool Configuration > Field: config-file for detail.

If the configuration file detected by Inspecode is not the one you want to use or you do not want to use any configuration files, you can disable Inspecode from detecting configuration files by explicitly setting an empty string to config-file field like below:

inspecode:
  brakeman:
    config-file: ""

results matching ""

    No results matching ""