Brakeman Pro Engine 4.0 and Brakeman Pro Desktop 1.6.1 have been released.
Brakeman Pro Engine 4.0 introduces backwards-incompatible changes!
Brakeman Pro Engine will now return non-zero exit codes if any warnings are found or if any errors are raised during the scan. This behavior has been optionally available for a long time, but is now the default.
The default report format has been updated to use the “plain” text output which contains more complete information, including extended descriptions, file names, and check names. Use
-f tables to output the old table report format.
Any output to a terminal will now be paged by default, making it much easier to read through long reports. The pager will not be used if the
CI environment variable is set to
true, which most popular CI servers do. Use the
--no-pager command line option to disable manually.
This release also adds new checks for Devise configuration best practices. New warnings have been added for weak hashing algorithms, suggested password length requirements, long password reset timeouts,missing account lockout strategies, and missing paranoid mode.
Brakeman Pro Desktop 1.6.1 has the latest Engine and has been updated to use JRuby 18.104.22.168.
- Add new checks for Devise configuration best practices
--exit-on-warnis now the default
--exit-on-erroris now the default
- “Plain” report output is now the default
- Add simple pager for reports output to terminal
- Remove low confidence mass assignment warnings
- Reduce warnings about XSS in
raiselike early returns
- Rename “Cross Site Scripting” to “Cross-Site Scripting”
- Remove reliance on
CONFIDENCEconstant in checks
- Fix use of
--exit-on-warnin config files
- All builds now use JRuby 22.214.171.124
Brakeman Pro is a static analysis security tool for Ruby on Rails applications.
If you have not purchased Brakeman Pro yet, you can review pricing and purchase licenses directly from our site.
Need to try before buying? Take Brakeman Pro Desktop for a spin.
Please feel free to contact us with any questions!