Brakeman – A Code Security Auditing Tool for Ruby

What is a Brakeman?

in the 1800s a brakeman was a rail worker responsible for keeping the rail roads safe by applying the brakes to each individual car. In this case Brakeman is a security scanner for programs written in the Rails framework.  Brakeman works by analyzing the source code of Ruby on Rails programs and highlighting vulnerabilities.

Installation is a breeze using rubygems, alternatively you can build it with the latest and greatest from GitHub. The project is really popular and being used by top companies such as Groupon, Twitter and GitHub itself

gem install brakeman
git clone https://github.com/presidentbeef/brakeman.git
cd brakeman
docker build . -t brakeman

How is it used?

The main advantages of Brakeman is that it can run anytime during the development cycle because all it needs is the source code and it requires zero setup or configuration once installed. It comes with 3 different warning levels [high, medium, low] and they provide an estimation on the certainty of the program in question. Brakeman is also much faster than black box scanners but can only scan statically not dynamically.

Brakeman comes with many scanning options such as scanning a specified path, enabling each scan to run in a single thread or forcing brakeman to run in Rails 3 or 4. To run Brakeman locally just use the brakeman command. To run outside of rails use the same command followed by the path to the application. Brakeman will work with any version of rails from version 2.4 until 6.x and can analyze code written in Ruby 1.8 syntax and beyond but needs at least ruby 2.4.0 to run efficiently.

How much do we like it?

All in all this tool and all of its advantages make me want to give it a 3/5 bunny rating. The fact that you can run this tool at any stage in development is very convenient as well as being able to scan individual paths. This tool seems like it could be every ruby developers dream tool

Want to learn more about ethical hacking?

We have a  networking hacking course that is of a similar level to OSCP, get an exclusive discount HERE

Do you know of another GitHub related hacking tool?

Get in touch with us via the contact form if you would like us to look at any other GitHub ethical hacking tools.

Related posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

ZenHammer Memory Attack Exploits Rowhammer Against AMD CPUs