Brakeman Pro Engine 4.0 Released

Sep 25, 2017

Brakeman Pro Engine 4.0 and Brakeman Pro Desktop 1.6.1 have been released.

Brakeman Pro Engine 4.0 introduces backwards-incompatible changes!

Brakeman Pro Engine will now return non-zero exit codes if any warnings are found or if any errors are raised during the scan. This behavior has been optionally available for a long time, but is now the default.

The default report format has been updated to use the “plain” text output which contains more complete information, including extended descriptions, file names, and check names. Use -f tables to output the old table report format.

Brakeman Pro Engine Plain Report

Any output to a terminal will now be paged by default, making it much easier to read through long reports. The pager will not be used if the CI environment variable is set to true, which most popular CI servers do. Use the --no-pager command line option to disable manually.

This release also adds new checks for Devise configuration best practices. New warnings have been added for weak hashing algorithms, suggested password length requirements, long password reset timeouts,missing account lockout strategies, and missing paranoid mode.

Brakeman Pro Desktop 1.6.1 has the latest Engine and has been updated to use JRuby

Engine changes:

  • Add new checks for Devise configuration best practices
  • --exit-on-warn is now the default
  • --exit-on-error is now the default
  • “Plain” report output is now the default
  • Add simple pager for reports output to terminal
  • Remove low confidence mass assignment warnings
  • Reduce warnings about XSS in link_to
  • Treat request.cookies like cookies
  • Treat fail/raise like early returns
  • Rename “Cross Site Scripting” to “Cross-Site Scripting”
  • Remove reliance on CONFIDENCE constant in checks
  • Fix use of --exit-on-error and --exit-on-warn in config files

Desktop changes:

  • All builds now use JRuby

Brakeman Pro is a static analysis security tool for Ruby on Rails applications.

Brakeman Pro can be used as a desktop application, Ruby Gem, and as a Code Climate engine.

If you have not purchased Brakeman Pro yet, you can review pricing and purchase licenses directly from our site.

Need to try before buying? Take Brakeman Pro Desktop for a spin.

Please feel free to contact us with any questions!